[Samba] PDC: Linux Client can't join the domain.

Alessandro Baggi alessandro.baggi at gmail.com
Fri May 1 12:02:43 GMT 2009 

Hi Adam.
Thanks for your reply. But I've not added the Computers account for  
paris$ manually. Samba give me the error, but it also make the entry in 
ldap.
The entry:
    # paris$, Computers, DOMINIO
    dn: uid=paris$,ou=Computers,dc=DOMINIO
    objectClass: top
    objectClass: account
    objectClass: posixAccount
    objectClass: sambaSamAccount
    cn: paris$
    uid: paris$
    uidNumber: 2008
    gidNumber: 515
    homeDirectory: /dev/null
    loginShell: /bin/false       
    description: Computer
    gecos: Computer
    sambaSID: S-1-5-21-1849485170-1217343015-651458238-1008
    displayName: Computer
    sambaAcctFlags: [W          ]

is created by samba with the add machine script = 
/usr/sbin/smbldap-useradd -w "%u"


Now I've deleted paris$ machine account, when I add the client to the 
domain, on the client give always Domain DOMINIO Joined, but samba logs 
give me:

[2009/05/01 10:55:05,  0] rpc_server/srv_netlog_nt.c:get_md4pw(306)
  get_md4pw: Workstation PARIS$: no account in domain
[2009/05/01 10:55:05,  0] 
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(502)
  _netr_ServerAuthenticate2: failed to get machine password for account 
PARIS$: NT_STATUS_ACCESS_DENIED

and samba has added this entry, that differs from the previous:

# paris$, Computers, DOMINIO
dn: uid=paris$,ou=Computers,dc=DOMINIO
uid: paris$
sambaSID: S-1-5-21-1849485170-1217343015-651458238-1010
displayName: Computer
objectClass: sambaSamAccount
objectClass: account
sambaAcctFlags: [W          ]

(PS. sometimes it give me an account such this, other, it give me a 
complete account, or it says me "Creation of workstation account 
Failed"...and I'don't know if it's a bug or problem configuration...this 
only with Linux Client...(Slackware 12.1))

Then, after a valid account creation by samba, and join with the client, 
in the linux client I cannot login with a user on LDAP, and when try to 
rejoin the domain it still give me:

[2009/05/01 10:56:54,  0] 
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(520)
  _netr_ServerAuthenticate2: netlogon_creds_server_check failed. 
Rejecting auth request from client PARIS machine account PARIS$

Now, i've tried another thing, I've removed paris$ entry, and added 
manualli with smbldap-useradd -w paris,, the entry in ldap is:

# paris$, Computers, DOMINIO
dn: uid=paris$,ou=Computers,dc=DOMINIO
objectClass: top
objectClass: account
objectClass: posixAccount
cn: paris$
uid: paris$
uidNumber: 2014
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer

after joining, samba log give:

[2009/05/01 11:26:35,  0] rpc_server/srv_netlog_nt.c:get_md4pw(306)
  get_md4pw: Workstation PARIS$: no account in domain
[2009/05/01 11:26:35,  0] 
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(502)
  _netr_ServerAuthenticate2: failed to get machine password for account 
PARIS$: NT_STATUS_ACCESS_DENIED

 but the entry become:

# paris$, Computers, DOMINIO
dn: uid=paris$,ou=Computers,dc=DOMINIO
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: sambaSamAccount
cn: paris$
uid: paris$
uidNumber: 2014
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-1849485170-1217343015-651458238-1016
displayName: Computer
sambaAcctFlags: [W          ]


with another rejoin logs give:

[2009/05/01 11:28:03,  0] 
rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(520)
  _netr_ServerAuthenticate2: netlogon_creds_server_check failed. 
Rejecting auth request from client PARIS machine account PARIS$

This behaviour is the same if I put in config file "add machine script = 
/usr/sbin/smbldap-useradd -w "%m" versus add machine script = 
/usr/sbin/smbldap-useradd -w "%u"

Possible that's a problem that concern slackware Client? SmbVersion of 
Client is 3.0.28a.

Thanks in advance.
                  
Adam Williams wrote:
> paris$ should not have a SID until it creates it upon joining the 
> domain.  you should not have done smbpasswd -a -m paris, so if you 
> did, do smbpasswd -x paris\$ and try rejoining.
>
> Alessandro Baggi wrote:
>> Hi there. I've a problem with using samba as Primary Domain 
>> Controller with backend ldap. Version release (Samba 3.2.5, OpenLDAP 
>> 2.4.11) on Debian Lenny.
>> When I try to join the domain with a Windows XP Pro Client, all works 
>> fine...profiles updating, logon, ecc..but when I try to join the 
>> domain with a Linux Client (Slackware 12.1) I get different errors:
>>
>>
>> client:~# net rpc join -U root%password
>> Joined Domain DOMINIO.
>>
>> and in samba log (log.__ffff_10.1.4.85):
>>
>> [2009/04/30 13:45:42,  0] rpc_server/srv_netlog_nt.c:get_md4pw(306)
>>  get_md4pw: Workstation PARIS$: no account in domain
>> [2009/04/30 13:45:42,  0] 
>> rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(502)
>>  _netr_ServerAuthenticate2: failed to get machine password for 
>> account PARIS$: NT_STATUS_ACCESS_DENIED
>>
>> and samba add an entry-Computer account for paris$:
>>
>> # paris$, Computers, DOMINIO
>> dn: uid=paris$,ou=Computers,dc=DOMINIO
>> objectClass: top
>> objectClass: account
>> objectClass: posixAccount
>> objectClass: sambaSamAccount
>> cn: paris$
>> uid: paris$
>> uidNumber: 2008
>> gidNumber: 515
>> homeDirectory: /dev/null
>> loginShell: /bin/false
>> description: Computer
>> gecos: Computer
>> sambaSID: S-1-5-21-1849485170-1217343015-651458238-1008
>> displayName: Computer
>> sambaAcctFlags: [W          ]
>>
>> Then, I try to log out from the client and try login with a user in 
>> ldap (I've tried with a PosixAccount and SambaAccount), but it 
>> doesn't work.
>> If I try again to rejoin the domain, the client side give me: Joined 
>> Domain DOMINIO., but samba log (log.__ffff_10.1.4.85) give me:
>>
>> [2009/04/30 13:48:07,  0] 
>> rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(520)
>>  _netr_ServerAuthenticate2: netlogon_creds_server_check failed. 
>> Rejecting auth request from client PARIS machine account PARIS$
>>
>> and I can't log-in in client side. These problems only when try to 
>> join domain from simple Linux client.
>> I've also removed the entire ldap db, repopulate, but the problem 
>> persist.
>>
>> This is a client configuration problem or Server PDC configuration 
>> problem? Samba? or OpenLDAP?
>>
>>
>> thanks in advance for help.
>>
>
>

More information about the samba mailing list