Join NT Domain : password problem, or so it seems

Damien Veillon Damien.Veillon at alcatel.fr
Wed Feb 21 12:13:35 GMT 2001 

A little more infos...

Here are the messages returned by smbpasswd -j with the debug level 4 :

--
host201 # smbpasswd -j DOM5 -r PDC407 -D 4
resolve_lmhosts: Attempting lmhosts lookup for name PDC407<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/lib/lmhosts. Error was No such file or directory
resolve_hosts: Attempting host lookup for name PDC407<0x20>
Connecting to X.Y.233.6 at port 139
cli_net_req_chal: LSA Request Challenge from PDC407 to HOST201: 8CB9F5B242A76A50
cred_session_key
cred_create
cli_net_auth2: srv:\\PDC407 acct:HOST201$ sc:2 mc: HOST201 chal 7DA1DA1A70A6EF0D neg: 1ff
cred_create
cred_assert
cred_create
cli_net_srv_pwset: srv:\\PDC407 acct:HOST201$ sc: 2 mc: HOST201 clnt 1866D40E1ABADA75 3a93aeb4
cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD
modify_trust_password: unable to change password for machine HOST201 in domain DOM5 to Domain controller PDC407. Error was NT_STATUS_WRONG_PASSWORD.
2001/02/21 13:04:04 : change_trust_account_password: Failed to change password for domain DOM5.
Unable to join domain DOM5.
host201 # 
--

Damien.


------ forwarded message ------
   From: Damien Veillon <Damien.Veillon at alcatel.fr>
  Sujet: RE: Join NT Domain : password problem, or so it seems
     To: Samba mailing list <samba at us5.samba.org>


Hi James (and others !)

All the machines are on the same subnet.
  HOST201 (samba box)      is X.Y.232.28 with netmask 255.255.252.0
  PDC407 (NT PDC)          is X.Y.233.6  with netmask 255.255.252.0
  WINS406 (NT WINS server) is X.Y.233.5  with netmask 255.255.252.0

Here is the result of the "nmblookup -M - -T" command :

--
host201 # nmblookup -M - -T
querying `a__MSBROWSE__a on X.Y.235.255
X.Y.233.5 `a__MSBROWSE__a<01>
X.Y.233.6 `a__MSBROWSE__a<01>
X.Y.233.43 `a__MSBROWSE__a<01>
X.Y.233.42 `a__MSBROWSE__a<01>
querying `a__MSBROWSE__a on X.Y.235.255
X.Y.233.5 `a__MSBROWSE__a<01>
X.Y.233.43 `a__MSBROWSE__a<01>
X.Y.233.6 `a__MSBROWSE__a<01>
X.Y.233.42 `a__MSBROWSE__a<01>
host201 # 
--

...sounds ok to me !


On my first try, I didn't set "Encrypt Passwords = Yes". However, I
already tried that yesterday (this was one of my tries actually). It
didn't help. I think this parameter must be set before restarting the
samba daemons, after a successful join. It rules the authentification
between the client and the Domain controler (PDC or BDC) but is not
used during the joining process... well, that's what I understood !



Roman, James (J.D.) a écrit :
> Are all the machines on the same subnet? Or more specifically, are you on
> the same subnet as PDC407? Try "nmblookup -M - -T" and see if your PDC or
> WINS server comes back.  
> 
> One other distant possibility, have you set Encrypt Passwords = Yes?  
> 
> -----Original Message-----
> From: Damien Veillon [mailto:Damien.Veillon at alcatel.fr]
> Sent: Tuesday, February 20, 2001 12:49 PM
> To: samba at us5.samba.org
> Subject: RE: Join NT Domain : password problem, or so it seems
> 
> 
> 
> James, thanks for your answer... unfortunetely your suggestions don't
> fix my problem !
> 
> OK, I checked/tried the followings :
>   -> there is no DOM5.HOST201.mac file (actually, the private directory
>      only contains the MACHINE.SID file)
>   -> I removed the samba machine account, waited more than 15 minutes.
>      I then started from scrach (included rm private/MACHINE.SID file)
>      with all the netbios names in CAPS ("netbios name = HOST201",
>      "password server = DOM407" and so on) (by the way, yes, hostname
>      HOST201 is unique on the network !)
>   -> I then re-added the samba server (HOST201) to the domain as a
>      workstation in server manager and tried the "smbpasswd -j DOM5 -r
> PDC407"
>      line again (I am root, so I have write access to the samba
>      installation directory)
> 
> I have exactly the same problem :-( 
> 
> 
> 
> Roman, James (J.D.) a écrit :
> Before you try again. Search to see if there is a (NTDOMAIN NAME).(SAMBA
> SERVER NAME).mac file on your system.  If so delete it.  Go back to your
> NT
> PDC and remove the samba machines account from server manager.  WAIT 15
> MINUTES FOR THE NT SAM DATABASE TO UPDATE!!!! 
> 
> Now start from scratch. Change your smb.conf, so that netbios name =
> HOST201
> (All CAPS)  (By the way HOST201 is unique on the network, isn't it?)
> Re-add
> the Samba server (HOST201) to the domain as a workstation in server
> manager.
> Now try the smbpasswd -j DOM5 -r PDC407 line again (Make sure you are
> root,
> and that you have write access to the samba installation directory,
> probably
> the same as where your smbpasswd file is located.)
> 
> Let me know if this helps. 
>
> -----Original Message-----
> From: Damien Veillon [mailto:Damien.Veillon at alcatel.fr]
> Sent: Tuesday, February 20, 2001 11:14 AM
> To: samba at us5.samba.org
> Subject: Join NT Domain : password problem, or so it seems
> 
> 
> 
> Hi everybody,
> 
> I have a problem with the join NT domain procedure.
> I would like to use the "security = domain" authentification mode.
> Therefore, I followed the instructions found in the DOMAIN_MEMBER.txt
> file, by Jeremy Allison.
> 
> Here is my config :
> 
>   samba box (newly configured) :
>     hostname : host201
>     netbios name : host201
>     OS : Solaris 7
>     samba version : 2.0.7
>   NT domain :
>     domain name : DOM5
>     PDC : PDC407
>     PDC OS : NT 4 service pack 5
>   WINS server : WINS406 which is also NT 4 / SP 5
> 
> 
> Here is what I get :
> 
> step 1 : On the PDC (PDC407), adding the netbios name of the samba box
> (host201) whith the "server manager for domains" tool, as a "Windows NT
> workstation or server".
>   => OK.
> 
> step 2 : stopping the samba daemons on the samba box (host201)
>   => OK.
> 
> step 3 : joining the domain with the command :
> 
>   smbpasswd -j DOM5 -r PDC407
> 
>   => not OK ; damn !
> 
> I got the following messages :
> 
> --
> host201 # smbpasswd -j DOM5 -r PDC407
> cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD
> modify_trust_password: unable to change password for machine HOST201 in
> domain DOM5 to Domain controller PDC407. Error was NT_STATUS_WRONG_PASSWORD.
> 2001/02/20 16:29:18 : change_trust_account_password: Failed to change
> password for domain DOM5.
> Unable to join domain DOM5.
> host201 # 
> --
> 
> Here is an extract of my smb.conf file when in step 1 :
> 
> --
> [global]
>         workgroup = DOM5
>         netbios name = host201
>         security = server
>         password server = PDC407
>         wins server = WINS406
> --
> 
> I checked the samba mailing list archive from january 2000 to february
> 2001 but found nothing regarding this problem.
> 
> I believe that the step 1 phase would create a trust account for the
> samba box, with a well-known initial trust account password. This
> allows smbpasswd to join the domain. Maybe there is something wrong in
> that area ? Unfortunately, I don't know the NT mecanisms well enough to
> figure out.
> 
> If anyone has any idea... please help !
> Thanks,
> Damien.

More information about the samba mailing list