Join NT Domain : password problem, or so it seems

Damien Veillon Damien.Veillon at alcatel.fr
Wed Feb 21 17:36:14 GMT 2001 

Here is my config :

  samba box (newly configured) :
    hostname : host201
    netbios name : host201
    OS : Solaris 7 (+ kernel patch 106541-12)
    samba version : 2.0.7
  NT domain :
    domain name : DOM5
    PDC : PDC407
    PDC OS : NT 4.0 service pack 5
  WINS server : WINS406 which is also NT 4.0 / SP 5


I found an info on the TechNet web from microsoft (article ID:Q154501)
regarding the machine account passwords on PDC's. There is two options
in the registry which are "RefusePasswordChange" and
"DisablePasswordChange".
These are located in the registry key :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

I will see with my NT guys to check what are the values for these
parameters on the PDC and try to join again. As I am away from my site
tomorrow, I will check that by friday...

I will let you know...
If anyone have any idea, anyway, I would be very pleased !!

Damien.


Roman, James (J.D.) a écrit :
> I've got to say I'm a little stumped by this one. It clearly is an
> authentication problem. Out of curiosity what version of Samba and NT are we
> dealing with?
> 
> -----Original Message-----
> From: Damien Veillon [mailto:Damien.Veillon at alcatel.fr]
> Sent: Wednesday, February 21, 2001 7:14 AM
> To: Samba mailing list
> Subject: RE: Join NT Domain : password problem, or so it seems
> 
> 
> 
> A little more infos...
> 
> Here are the messages returned by smbpasswd -j with the debug level 4 :
> 
> --
> host201 # smbpasswd -j DOM5 -r PDC407 -D 4
> resolve_lmhosts: Attempting lmhosts lookup for name PDC407<0x20>
> startlmhosts: Can't open lmhosts file /usr/local/samba/lib/lmhosts. Error
> was No such file or directory
> resolve_hosts: Attempting host lookup for name PDC407<0x20>
> Connecting to X.Y.233.6 at port 139
> cli_net_req_chal: LSA Request Challenge from PDC407 to HOST201:
> 8CB9F5B242A76A50
> cred_session_key
> cred_create
> cli_net_auth2: srv:\\PDC407 acct:HOST201$ sc:2 mc: HOST201 chal
> 7DA1DA1A70A6EF0D neg: 1ff
> cred_create
> cred_assert
> cred_create
> cli_net_srv_pwset: srv:\\PDC407 acct:HOST201$ sc: 2 mc: HOST201 clnt
> 1866D40E1ABADA75 3a93aeb4
> cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD
> modify_trust_password: unable to change password for machine HOST201 in
> domain DOM5 to Domain controller PDC407. Error was NT_STATUS_WRONG_PASSWORD.
> 2001/02/21 13:04:04 : change_trust_account_password: Failed to change
> password for domain DOM5.
> Unable to join domain DOM5.
> host201 # 
> --
> 
> Damien.
> 
> 
> ------ forwarded message ------
>    From: Damien Veillon <Damien.Veillon at alcatel.fr>
>   Sujet: RE: Join NT Domain : password problem, or so it seems
>      To: Samba mailing list <samba at us5.samba.org>
> 
> 
> Hi James (and others !)
> 
> All the machines are on the same subnet.
>   HOST201 (samba box)      is X.Y.232.28 with netmask 255.255.252.0
>   PDC407 (NT PDC)          is X.Y.233.6  with netmask 255.255.252.0
>   WINS406 (NT WINS server) is X.Y.233.5  with netmask 255.255.252.0
> 
> Here is the result of the "nmblookup -M - -T" command :
> 
> --
> host201 # nmblookup -M - -T
> querying `a__MSBROWSE__a on X.Y.235.255
> X.Y.233.5 `a__MSBROWSE__a<01>
> X.Y.233.6 `a__MSBROWSE__a<01>
> X.Y.233.43 `a__MSBROWSE__a<01>
> X.Y.233.42 `a__MSBROWSE__a<01>
> querying `a__MSBROWSE__a on X.Y.235.255
> X.Y.233.5 `a__MSBROWSE__a<01>
> X.Y.233.43 `a__MSBROWSE__a<01>
> X.Y.233.6 `a__MSBROWSE__a<01>
> X.Y.233.42 `a__MSBROWSE__a<01>
> host201 # 
> --
> 
> ...sounds ok to me !
> 
> 
> On my first try, I didn't set "Encrypt Passwords = Yes". However, I
> already tried that yesterday (this was one of my tries actually). It
> didn't help. I think this parameter must be set before restarting the
> samba daemons, after a successful join. It rules the authentification
> between the client and the Domain controler (PDC or BDC) but is not
> used during the joining process... well, that's what I understood !
> 
> 
> 
> Roman, James (J.D.) a écrit :
>> Are all the machines on the same subnet? Or more specifically, are you on
>> the same subnet as PDC407? Try "nmblookup -M - -T" and see if your PDC or
>> WINS server comes back.  
>> 
>> One other distant possibility, have you set Encrypt Passwords = Yes?  
>> 
>> -----Original Message-----
>> From: Damien Veillon [mailto:Damien.Veillon at alcatel.fr]
>> Sent: Tuesday, February 20, 2001 12:49 PM
>> To: samba at us5.samba.org
>> Subject: RE: Join NT Domain : password problem, or so it seems
>> 
>> 
>> 
>> James, thanks for your answer... unfortunetely your suggestions don't
>> fix my problem !
>> 
>> OK, I checked/tried the followings :
>>   -> there is no DOM5.HOST201.mac file (actually, the private directory
>>      only contains the MACHINE.SID file)
>>   -> I removed the samba machine account, waited more than 15 minutes.
>>      I then started from scrach (included rm private/MACHINE.SID file)
>>      with all the netbios names in CAPS ("netbios name = HOST201",
>>      "password server = DOM407" and so on) (by the way, yes, hostname
>>      HOST201 is unique on the network !)
>>   -> I then re-added the samba server (HOST201) to the domain as a
>>      workstation in server manager and tried the "smbpasswd -j DOM5 -r
>> PDC407"
>>      line again (I am root, so I have write access to the samba
>>      installation directory)
>> 
>> I have exactly the same problem :-( 
>> 
>> 
>> 
>> Roman, James (J.D.) a écrit :
>> Before you try again. Search to see if there is a (NTDOMAIN NAME).(SAMBA
>> SERVER NAME).mac file on your system.  If so delete it.  Go back to your
>> NT
>> PDC and remove the samba machines account from server manager.  WAIT 15
>> MINUTES FOR THE NT SAM DATABASE TO UPDATE!!!! 
>> 
>> Now start from scratch. Change your smb.conf, so that netbios name =
>> HOST201
>> (All CAPS)  (By the way HOST201 is unique on the network, isn't it?)
>> Re-add
>> the Samba server (HOST201) to the domain as a workstation in server
>> manager.
>> Now try the smbpasswd -j DOM5 -r PDC407 line again (Make sure you are
>> root,
>> and that you have write access to the samba installation directory,
>> probably
>> the same as where your smbpasswd file is located.)
>> 
>> Let me know if this helps. 
>>
>> -----Original Message-----
>> From: Damien Veillon [mailto:Damien.Veillon at alcatel.fr]
>> Sent: Tuesday, February 20, 2001 11:14 AM
>> To: samba at us5.samba.org
>> Subject: Join NT Domain : password problem, or so it seems
>> 
>> 
>> 
>> Hi everybody,
>> 
>> I have a problem with the join NT domain procedure.
>> I would like to use the "security = domain" authentification mode.
>> Therefore, I followed the instructions found in the DOMAIN_MEMBER.txt
>> file, by Jeremy Allison.
>> 
>> Here is my config :
>> 
>>   samba box (newly configured) :
>>     hostname : host201
>>     netbios name : host201
>>     OS : Solaris 7
>>     samba version : 2.0.7
>>   NT domain :
>>     domain name : DOM5
>>     PDC : PDC407
>>     PDC OS : NT 4 service pack 5
>>   WINS server : WINS406 which is also NT 4 / SP 5
>> 
>> 
>> Here is what I get :
>> 
>> step 1 : On the PDC (PDC407), adding the netbios name of the samba box
>> (host201) whith the "server manager for domains" tool, as a "Windows NT
>> workstation or server".
>>   => OK.
>> 
>> step 2 : stopping the samba daemons on the samba box (host201)
>>   => OK.
>> 
>> step 3 : joining the domain with the command :
>> 
>>   smbpasswd -j DOM5 -r PDC407
>> 
>>   => not OK ; damn !
>> 
>> I got the following messages :
>> 
>> --
>> host201 # smbpasswd -j DOM5 -r PDC407
>> cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD
>> modify_trust_password: unable to change password for machine HOST201 in
>> domain DOM5 to Domain controller PDC407. Error was
> NT_STATUS_WRONG_PASSWORD.
>> 2001/02/20 16:29:18 : change_trust_account_password: Failed to change
>> password for domain DOM5.
>> Unable to join domain DOM5.
>> host201 # 
>> --
>> 
>> Here is an extract of my smb.conf file when in step 1 :
>> 
>> --
>> [global]
>>         workgroup = DOM5
>>         netbios name = host201
>>         security = server
>>         password server = PDC407
>>         wins server = WINS406
>> --
>> 
>> I checked the samba mailing list archive from january 2000 to february
>> 2001 but found nothing regarding this problem.
>> 
>> I believe that the step 1 phase would create a trust account for the
>> samba box, with a well-known initial trust account password. This
>> allows smbpasswd to join the domain. Maybe there is something wrong in
>> that area ? Unfortunately, I don't know the NT mecanisms well enough to
>> figure out.
>> 
>> If anyone has any idea... please help !
>> Thanks,
>> Damien.
> 
> 
> 
> 
>

More information about the samba mailing list