W2008RC1 Samba 3.2 Join Fails with NT_STATUS_WRONG_PASSWORD
David Holder
david.holder at erion.co.uk
Wed Jan 23 21:01:59 GMT 2008
Jeremy Allison wrote:
> On Wed, Jan 23, 2008 at 12:09:42PM -0800, Matt Geddes wrote:
>
>> Hi,
>>
>> On Jan 22, 2008 2:05 AM, David Holder <david.holder at erion.co.uk> wrote:
>>
>>
>>> Specifcally I am getting:
>>>
>>> # net ads join -Uadministrator%password123!
>>>
>> It' s not an shell escaping problem, is it? That exclamation mark
>> might disappear once the shell gets to it.
>>
>> That being said, I've taken a look at your packet captures and I can
>>
I tested this, it is shell clear!
>> see why you can't change the password on the machine account.
>>
>> Leighton's DCE/RPC book has two characters transposed (can't find the
>> page now...) on the flags field set in the samr createuser2 (and
>> others) function and it seems like all-but-one instance of these flags
>> across the Samba source have the same problem. It's a permissions mask
>> on the created account and by using the wrong value, we're preventing
>> ourselves from changing our own machine account password.
>>
>> This isn't a Windows 2008 specific problem -- I can reproduce it
>> against Windows 2003 trying to join as a non-Administrator user that
>> sports SeMachineAccountPrivilege only.
>>
>> I've attached a patch that gives these bits a symbolic name and
>> creates the 32-bit field in the packet in a consistent manner. It
>> applies to late 3.0.x trees fine, but that code hasn't changed much
>> recently, so I imagine it'll probably apply cleanly to HEAD branch.
>>
>> David, can you apply this patch to your tree and test it? You'll have
>> to delete the machine account (fedora8) before trying to rejoin, or
>> the flags will still be set the same on the machine account.
>>
>
> This looks good to me. I'm forward porting to 3.2.x and
> Jerry has promised to test (I'm in OOXML-hell right now :-).
>
> Jeremy.
>
Thanks, I'll test it once it is ported to 3.2.x.
David
More information about the samba-technical
mailing list