authority to join a domain

Ben Liblit liblit at
Thu Mar 22 05:00:19 GMT 2001

I am trying to add a Samba 2.0.7 box to an existing domain.  The Samba
box will not be a domain controller; it's just going to be a
nondescript member of the domain.  The primary domain controller is
running Windows 2000, but is also configured to emulate an NT4 PDC.

Our system administrators did their side of things, and told me that
user "domain\liblit" now has permission to add machine "zubzub" to the
"domain" domain.  I became root on "zubzub" and ran the following

   # smbpasswd -j DOMAIN -r PRIME

As you can probably guess "DOMAIN" is the name of the domain.  "PRIME" is
the name of the primary domain controller.  Unfortunately, PRIME doesn't
like me:

   cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT
   cli_nt_setup_creds: auth2 challenge failed
   modify_trust_password: unable to setup the PDC credentials to machine PRIME. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT.
   2001/03/21 20:51:47 : change_trust_account_password: Failed to change password for domain DOMAIN.
   Unable to join domain DOMAIN.

I'm not suprised that this failed, though, because at no point did I
say that "domain\liblit" is the one who is authorizing the action or
provide the corresponding password.  I've poured over the
documentation, and I cannot figure out how to get this piece of
information into the domain-join request.

So the PDC is set up to welcome a new machine, but only one specific
user is authorized to do it.  How do tell smbpasswd about this
specially designated user?  (For example, under Win2K, I am presented
with a dialog box asking for the name and password of a user who is
authorized to add the machine.)  Conversely, what user does smbpasswd
assume if it has no provision for specifying a different one?

More information about the samba mailing list