Unable to join domain
Eric.Wallace at nsc.com
Wed Nov 14 13:05:06 GMT 2001
Thanks to Will Schmidt and Kenneth Hadley for their responses, Samba is now a somewhat happy member server in the NT4 domain...
### FYI: Getting Samba to join an NT Domain ###
The trick was this: adding a Samba server to the domain works much like adding an NT box... You can either:
(a) add the NetBIOS name to the domain in Server Mangler (as a domain admin), then the Samba server can configure itself _without_ the Administrator password using 'smbpasswd -j DOMAIN -r PDC'
(b) just run 'smbpasswd -j DOMAIN -r PDC -UAdministrator%yourpasswordhere' with an NT domain admin password.
(Neither the old O'Reilly "Using Samba" book nor the latest "security = domain ..." HOWTO make this distinction clear. If whomever wrote the docs would like assistance in adding some more detail here, I'd be happy to help--I'm getting quite intimate with Samba now!)
If after Samba says it has become a happy domain member and it still won't authenticate (with Globals "security = domain" and "password server = *"), you'll see some tell-tale signs.
1.) The log entries show the following, one list for each domain controller, until it finally defaults to the local 'smbpasswd' file.
[2001/11/06 12:43:06, 0] ././rpc_client/cli_netlogon.c:cli_net_auth2(160)
cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2001/11/06 12:43:06, 0] ././rpc_client/cli_login.c:cli_nt_setup_creds(72)
cli_nt_setup_creds: auth2 challenge failed
[2001/11/06 12:43:06, 0] ././smbd/password.c:connect_to_domain_password_server(1372)
connect_to_domain_password_server: unable to setup the PDC credentials to machine PDC. Error was : NT_STATUS_ACCESS_DENIED.
...and so on...
2.) The NT domain controllers are auditing (logging) security success/failure, so here's the message from Event Manager:
The session setup from the computer SAMBA failed to authenticate.
The name of the account referenced in the security database is SAMBA$.
The following error occurred: Access is denied.
Micro$oft comments on these errors in KB article Q175024 (http://support.microsoft.com/support/kb/articles/q175/0/24.asp?id=175024&SD=MSKB), but their suggestion doesn't work for Samba. Better just remove your Samba server from the domain with Server Manager, wait for it to flush, then delete or rename 'secret.tdb' and retry with step (a) above.
Eric W. Wallace
I.S. Infrastructure Sr. System Engineer
eric.wallace at nsc.com
More information about the samba-ntdom