Unable to join Samba 2.2.2 server to TNG PDC

Erik Persson erik at roxen.com
Fri Dec 7 08:26:03 GMT 2001 

Hi,

After a lot of sweat and tears I have finally managed to get a Samba TNG
PDC working with an LDAP backend. I had to give up on Samba 2.2 as there
was always something that would break when using the LDAP backend.

Now, having Win2K clients join the domain works like a charm, but I have
simply no luck in figuring out why.

I do the same thing as for the Win2K clients, that is, creating a machine
account with the default password but when I try to join using:

wopr:/# /opt/samba/bin/smbpasswd -j TESTDOMAIN -r PDC-LIN -UAdministrator
INFO: Debug class all level = 1   (pid 23940 from pid 23940)
Password:
session setup ok
Domain=[TESTDOMAIN] OS=[Unix] Server=[Samba TNG-alpha]
Unable to join domain TESTDOMAIN.

When examining the log from the TNG smbd the log looks almost identical in
both cases, except that the log for the W2K client is longer. Typically,
the log files look like:

--->cut here<---
Changed root to /
netbios connect: name1=PDC-LIN          name2=WOPR
Changed root to /
msrpc_process: client_name: lsarpc my_name: pdc-lin
Closing connections
Changed root to /
msrpc_process: client_name: netlogon my_name: pdc-lin
Changed root to /
msrpc_process: client_name: lsarpc my_name: pdc-lin
Connected to LDAP server
Searching in [dc=roxen,dc=com] for
[(&(ntuid=ADMINISTRATOR)(objectclass=sambaAccount))]  with scope [2]
1 matching entries found
Retrieving account [Administrator]
Closing connections
Connection closed
.
.
<repeat for numerous other LDAP searches>
.
.
Connected to LDAP server
Searching in [dc=roxen,dc=com] for
[(&(sambaMember=nobody,*)(objectclass=sambaGroup))] with scope [2]
0 matching entries found
Connection closed
Connected to LDAP server
Searching in [dc=roxen,dc=com] for
[(&(rid=1f5)(objectclass=sambaAccount))] with scope [2]
1 matching entries found
Retrieving account [nobody]
Connection closed
--->cut here<---

OK. Until now, the log entries are almost identical except that in the
case of the Samba client LDAP is searched for "ADMINISTRATOR" rather than
"Administrator" which should not be a problem. But now, things start to
change.

When the W2K client tries to join it looks like:

--->cut here<---
Changed root to /

msrpc_process: client_name: samr my_name: pdc-lin
ldap_connect: Connect denied: euid=60001 uid=0
ldap_connect: Connect denied: euid=60001 uid=0
Allocating new RID
ldap_connect: Connect denied: euid=60001 uid=0
Failed to add entry for user sunpci$.

Closing connections
WARNING: _lsa_open_secret: couldn't open secret_db. Possible attack?
uid=0, gid=0, euid=60001, egid=60001
_lsa_open_secret failed with 0xc0000022
Closing connections
Closing connections
Closing connections
Changed root to /
netbios connect: name1=PDC-LIN          name2=SUNPCI
Changed root to /
msrpc_process: client_name: lsarpc my_name: pdc-lin
Closing connections
Changed root to /
msrpc_process: client_name: netlogon my_name: pdc-lin
Changed root to /
msrpc_process: client_name: lsarpc my_name: pdc-lin
Closing connections
Connected to LDAP server
Searching in [dc=roxen,dc=com] for
[(&(ntuid=Administrator)(objectclass=sambaAccount))] with scope [2]
.
.
loads of more LDAP searches and other stuff
.
.
authorise_login: TODO. split function, it's 6 levels!
WARNING: _lsa_open_secret: couldn't open secret_db. Possible attack?
uid=0, gid=0, euid=60001, egid=60001
LSA_OPENSECRET: NT_STATUS_ACCESS_DENIED
WARNING: _lsa_open_secret: couldn't open secret_db. Possible attack?
uid=0, gid=0, euid=60001, egid=60001
LSA_OPENSECRET: NT_STATUS_ACCESS_DENIED
Changed root to /
msrpc_process: client_name: netlogon my_name: pdc-lin
Connected to LDAP server
.
.
more LDAP searches
.
.
--->cut here<---

Finally the procedure is done and the client has sucessfully joined the
domain. With the Samba client however this is all that happens:

--->cut here<---
Changed root to /

msrpc_process: client_name: lsarpc my_name: pdc-lin
WARNING: _lsa_open_secret: couldn't open secret_db. Possible attack?
uid=0, gid=0, euid=60001, egid=60001
Changed root to /
_lsa_open_secret failed with 0xc0000022
Closing connections
msrpc_process: client_name: samr my_name: pdc-lin
ldap_connect: Connect denied: euid=60001 uid=0
ldap_connect: Connect denied: euid=60001 uid=0
Allocating new RID
ldap_connect: Connect denied: euid=60001 uid=0
Failed to add entry for user wopr$.

Closing connections
Closing connections
Closing connections
--->cut here<---

Besides: What's with the message:

"WARNING: _lsa_open_secret: couldn't open secret_db. Possible attack?"

Any ideas?

/Erik


-- 
Erik Persson, System Manager            <erik at roxen.com>
Roxen Internet Software                 Voice:  +46 13 376817

More information about the samba-ntdom mailing list