Re-adding samba to a domain (was RE: Fear, Uncertainty, Doubt andCitrix on Win2k)

Thu Jan 17 04:49:08 GMT 2002

"Lightfoot.Michael" wrote:
> 
> 
> > At 11:17 AM 1/16/02 +1100, you wrote:
> > <snip>
> > > > To join the domain use 'smbpasswd -j DOMAIN -U
> > Administrator'.  This
> > > > will create a machine account (with the PDC's admin password)
> > > > and set a
> > > > password on that account.  This allows Samba to pass both the
> > > > challenge
> > > > and response to the DC and to get back sane error codes.
> > > >
> > >I think I must be a little thick as I can't get this to
> > work.  I tried:
> > >
> > >smbpasswd -j COMCARE -u Administrator
> > >
> > >It came back with a password prompt which I asked the M$ man
> > to enter (for
> > >the PDC admin account) and it failed authentication.  The
> > server exists at
> > >the PDC and everything (according to the M$ bloke) is OK there.
> >
> > Right, I know I'm butting in here, but what I have seen on
> > the list is that
> > that joins the domain, but some people have had to create the
> > account manually.
> >
> > So, on the PDC, you need to make an account, and check the
> > box that allows
> > non-w2k machines to use it.  Then that command might work.
> >
> OK, here's the resolution!
> 
> In recent months the PDC has been upgraded from NT4 to Win2k.  This change
> forced us to upgrade all our Samba servers from various ancient 1.9.18
> patchlevels to 2.2.2.
> 
> When I tried to change from security = server to security = domain as
> suggested by Andrew B, I got the problem outlined above.
> 
> The solution is that you have to delete each Samba server from the domain
> and then re-add it.  After this the instructions per the Samba Project
> documentation - for us Aussies:
> 
> http://samba.mirror.aarnet.edu.au/samba/docs/Samba-HOWTO-Collection.html#DOM
> AIN-SECURITY
> 
> work perrrrfectly.

I'll need to update some doco some day.  The method in the HOWTO is the
'old' method, which works when the machine has be 'added' in user
manager.  This 'add' also sets the password to 'machinename' - and the
'smbpasswd -j' simply changes it.  Quite simple actually.  The problem
is the race between the add and join, which is avoided with the '-U'
method.  (This adds and account with admin privs, and uses that to set
the password for the first time).

> We are now running in test with no authentication errors for Win2k TSE users
> and my developers and testers all have silly grins!

Nice to hear its all works!

> Thanks to all who gave assistance.  In another few days I'll be able to call
> myself an MCSE.  >:-)

:-)  Would you really want to stoop that low?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net