[Samba] 0 length domain name & SCHANNEL can't be used to fetch trust account password?

Linda Walsh samba at tlinx.org
Wed Jan 13 18:33:23 MST 2010 

I have a few errors I'm trying to chase down in an effort to get a
Win7 client in my domain.  WinXP works -- tested unjoining and
rejoining today, and it can still join.

I have the registry adds for DNSNameResolutionRequired=0 under
LanmanServer&Client/Params (put it in both places in attempt to get
things working), as well as a DomainCompatibilityMode=1

I've tried moving to winbind for some flexibility, and it led me
down an interesting path with some log messages on startup:

initialize_winbindd_cache: clearing cache and re-creating with version number
1
[2010/01/13 15:46:06,  2] winbindd/winbindd_util.c:235(add_trusted_domain)
 Added domain BUILTIN  S-1-5-32
[2010/01/13 15:46:06,  2] winbindd/winbindd_util.c:235(add_trusted_domain)
 Added domain BLISS  S-1-5-21-33333-77777-33333
[2010/01/13 15:46:08,  0] libsmb/namequery.c:75(saf_store)
 saf_store: refusing to store 0 length domain or servername!
[2010/01/13 15:46:08,  1] rpc_client/cli_pipe.c:948(cli_pipe_validate_current_pd
u)
 cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR receiv
ed from host ISHTAR!

Anyone seen an error about 0 length names before?

The OP_RNG error led me to try some ops with net rpc on ishtar.

I tried a "net rpc samdump" and got:

get_schannel_session_key: could not fetch trust account password for domain 'BLISS'
cli_rpc_pipe_open_schannel: failed to get schannel session key from server 127.0.0.1 for domain BLISS.
Could not initialise schannel netlogon pipe. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO

----

I presume this isn't just a 'noise level' problem?  How can I
re-initialize the schannel session key for Bliss?

I even tried changing the trustpassword to see if that would reset
the the schannel key.  It failed due to an inability to get the
schannel session key.

Also, maybe it's unimportant, but with winbind running, I tried to
fetch the DC name for my domain with "wbinfo --getdcname 'Bliss'",
but it returned "Could not get dc name for Bliss". Should this work
with samba 3.4.3 ?

The Windows client goes from getting 'Domain name can't be found" to
"Access Denied" depending on combinations of the Sign/Seal level of
security and NTLM/LM/NTLMv2 params (trying various combinations.
Note: I've tried the identical settings of the XP client without
success).


Anyone solved these problems or seen them before?

Thanks,
Linda

More information about the samba mailing list