W2008RC1 Samba 3.2 Join Fails with NT_STATUS_WRONG_PASSWORD

Jeremy Allison jra at samba.org
Wed Jan 23 20:59:59 GMT 2008

On Wed, Jan 23, 2008 at 12:09:42PM -0800, Matt Geddes wrote:
> Hi,
> On Jan 22, 2008 2:05 AM, David Holder <david.holder at erion.co.uk> wrote:
> > Specifcally I am getting:
> >
> > # net ads join -Uadministrator%password123!
> It' s not an shell escaping problem, is it? That exclamation mark
> might disappear once the shell gets to it.
> That being said, I've taken a look at your packet captures and I can
> see why you can't change the password on the machine account.
> Leighton's DCE/RPC book has two characters transposed (can't find the
> page now...) on the flags field set in the samr createuser2 (and
> others) function and it seems like all-but-one instance of these flags
> across the Samba source have the same problem. It's a permissions mask
> on the created account and by using the wrong value, we're preventing
> ourselves from changing our own machine account password.
> This isn't a Windows 2008 specific problem -- I can reproduce it
> against Windows 2003 trying to join as a non-Administrator user that
> sports SeMachineAccountPrivilege only.
> I've attached a patch that gives these bits a symbolic name and
> creates the 32-bit field in the packet in a consistent manner. It
> applies to late 3.0.x trees fine, but that code hasn't changed much
> recently, so I imagine it'll probably apply cleanly to HEAD branch.
> David, can you apply this patch to your tree and test it? You'll have
> to delete the machine account (fedora8) before trying to rejoin, or
> the flags will still be set the same on the machine account.

This looks good to me. I'm forward porting to 3.2.x and
Jerry has promised to test (I'm in OOXML-hell right now :-).


More information about the samba-technical mailing list