[Samba] Must you "net join" for the Samba machine to become a
domain member?
Karnowski, David
dkarnowski at etrade.com
Fri Jan 20 00:00:18 GMT 2006
>> If it must "join" the domain why doesn't Samba try join the domain
>> automatically (if it's not already joined) using the credentials of
>> the first user who tries to map a drive?
> Probably because a normal user trying to map a drive isn't a Domain
> Admin, and generally only Domain Admins can add computers into domains.
> I think you misunderstand the purpose of joining a domain. You don't
> join with specific credentials (e.g. a user mapping a drive), you use a
> domain admin's credentials to add Samba into the domain, which means
> from that point forward Samba is "allowed" to ask the domain to
> check passwords instead of doing so itself. This is greatly
> simplified, but until Samba is a member of the domain you'll usually be
> prompted for a password.
>> It appears to me that I must "net join" the domain from the Samba
>> server for this to work. Is this correct? Are there alternatives?
> There's no need. If I understand the process correctly, once you've
> added Samba to the domain (while logged in as a Domain Admin) Samba
> creates its own login name and password (a 'machine' account.) From
> this point on Samba logs in with these credentials whenever it needs
> access to the domain - anything from getting a list of users to
> checking whether the supplied password is correct.
Thanks for your detailed response Adam.
The thing is that we already manually added the server to the domain
(i.e. created a "computer account" for the Samba machine in the domain
manually using the standard Windows GUI tools). The reason, in my case,
I believe I have to do a "net join" is to populate the "private/secrets.tdb"
with some ID of the domain I'm interested in. I noticed that when I
start the Samba daemons (without first doing a "net join") and then try to
map a drive that it automatically finds info on some of our domains ("WINPROD"
& "VTIDEV.CA") but not the one I'm interested in ("CORP"). Below is part of
the log when I try to map a drive without first doing the "net join". If I
do the "net join" then the "private/secrets.tdb" gets populated for the
"CORP" domain and then the drive mapping works fine. So I guess my question
is: How does Samba automatically discover the info for some domains and not
others? Where is it getting this discovery from? And what can I do to make
it discover the domain I'm interested in ("CORP") without having to do a
"net join"?
[2006/01/19 18:48:35, 5] libsmb/trustdom_cache.c:trustdom_cache_store(127)
trustdom_store: storing SID S-1-5-21-73586283-436374069-725345543 of domain WI
NPROD
[2006/01/19 18:48:35, 10] lib/gencache.c:gencache_set(127)
Adding cache entry with key = TDOM/WINPROD; value = S-1-5-21-73586283-43637406
9-725345543 and timeout = Thu Jan 19 18:58:35 2006
(600 seconds ahead)
[2006/01/19 18:48:35, 5] libsmb/trustdom_cache.c:trustdom_cache_store(127)
trustdom_store: storing SID S-1-5-21-968365403-1350775402-1971066577 of domain
VTIDEV.CA
[2006/01/19 18:48:35, 10] lib/gencache.c:gencache_set(127)
Adding cache entry with key = TDOM/VTIDEV.CA; value = S-1-5-21-968365403-13507
75402-1971066577 and timeout = Thu Jan 19 18:58:35 2006
(600 seconds ahead)
[2006/01/19 18:48:35, 10] lib/gencache.c:gencache_set(127)
Adding cache entry with key = TDOMCACHE/TIMESTAMP; value = 1137714515 and time
out = Thu Jan 19 18:58:35 2006
(600 seconds ahead)
[2006/01/19 18:48:35, 10] lib/gencache.c:gencache_get(285)
Cache entry with key = TDOM/CORP couldn't be found
[2006/01/19 18:48:35, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
no entry for trusted domain CORP found.
...
[2006/01/19 18:48:36, 6] auth/auth_sam.c:check_samstrict_security(379)
check_samstrict_security: CORP is not one of my local names (ROLE_DOMAIN_MEMBE
R)
...
[2006/01/19 18:48:36, 5] passdb/secrets.c:secrets_fetch_trust_account_password(2
88)
secrets_fetch failed!
[2006/01/19 18:48:36, 0] auth/auth_domain.c:check_ntdomain_security(284)
check_ntdomain_security: could not fetch trust account password for domain 'CO
RP'
[2006/01/19 18:48:36, 5] auth/auth.c:check_ntlm_password(271)
check_ntlm_password: winbind authentication for user [dkarnows] FAILED with er
ror NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2006/01/19 18:48:36, 2] auth/auth.c:check_ntlm_password(317)
check_ntlm_password: Authentication for user [dkarnows] -> [dkarnows] FAILED
with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO
More information about the samba
mailing list