Join NT Domain : password problem, or so it seems
Damien Veillon
Damien.Veillon at alcatel.fr
Fri Feb 23 08:50:34 GMT 2001
Nelson, John P. a écrit :
> host201 # smbpasswd -j DOM5 -r PDC407
> cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD
> modify_trust_password: unable to change password for machine HOST201 in
> domain DOM5 to Domain controller PDC407. Error was NT_STATUS_WRONG_PASSWORD.
> 2001/02/20 16:29:18 : change_trust_account_password: Failed to change
> password for domain DOM5.
> Unable to join domain DOM5.
> host201 #
>
> ----
>
> OK. This usually means that you did NOT just create the machine account for
> HOST201. On the domain controller, use server manager to delete the machine
> from the domain, then add it back again. Then try smbpasswd again.
>
> See, when you FIRST create a machine account, it sets the password to a
> well-known value. Part of the "join domain" handshake is to change this
> password to one that is known only to the client and the DC.
>
> I suspect that this machine account previously existed, and that you didn't
> actually create it from scratch. This doesn't help - Samba needs to have
> the password reset to the well-known value so that it can change it.
>
> The same thing happens if you try to add an NT system to the domain twice
> without resetting the machine account.
>
>
> Hope that helps,
>
> - john nelson
Hi John,
Thanks for your answer ! Unfortunately, this does not help.
It is the first thing I tried actually, as I saw the same explanation
you gave in the samba mailing list archives.
I tried to reset the password, I also tried to install a completely new
samba box from scratch which was unknown by the PDC.
I suspect there is another problem, maybe on the PDC. The initial
machine account password may be either different from the well-known
value or unchangeable. Well... I'm searching in that direction !
I found an info on the TechNet web from microsoft (article ID:Q154501)
regarding the machine account passwords on PDC's. There is two options
in the registry which are "RefusePasswordChange" and
"DisablePasswordChange".
These are located in the registry key :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
I will see with my NT guys to check what are the values for these
parameters on the PDC and try to join again.
I will let you know the results of this try in the mailing list !
Damien.
More information about the samba
mailing list