W2008RC1 Samba 3.2 Join Fails with NT_STATUS_WRONG_PASSWORD

Matt Geddes musicalcarrion at gmail.com
Wed Jan 23 20:09:42 GMT 2008


On Jan 22, 2008 2:05 AM, David Holder <david.holder at erion.co.uk> wrote:

> Specifcally I am getting:
> # net ads join -Uadministrator%password123!

It' s not an shell escaping problem, is it? That exclamation mark
might disappear once the shell gets to it.

That being said, I've taken a look at your packet captures and I can
see why you can't change the password on the machine account.

Leighton's DCE/RPC book has two characters transposed (can't find the
page now...) on the flags field set in the samr createuser2 (and
others) function and it seems like all-but-one instance of these flags
across the Samba source have the same problem. It's a permissions mask
on the created account and by using the wrong value, we're preventing
ourselves from changing our own machine account password.

This isn't a Windows 2008 specific problem -- I can reproduce it
against Windows 2003 trying to join as a non-Administrator user that
sports SeMachineAccountPrivilege only.

I've attached a patch that gives these bits a symbolic name and
creates the 32-bit field in the packet in a consistent manner. It
applies to late 3.0.x trees fine, but that code hasn't changed much
recently, so I imagine it'll probably apply cleanly to HEAD branch.

David, can you apply this patch to your tree and test it? You'll have
to delete the machine account (fedora8) before trying to rejoin, or
the flags will still be set the same on the machine account.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: samr_flags.diff
Type: application/octet-stream
Size: 8721 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080123/f5b347d2/samr_flags.obj

More information about the samba-technical mailing list