[Samba] Samba PDC, Win9x, 2k, XP domain logon problem

Savage, Elijah elijah_savage at reyrey.com
Tue Jun 25 13:43:03 GMT 2002 

I hope this doc below helps out. But from what I have seen it looks like you
created the machines accounts but did not create the smbpasswd for the
machine accounts. See docs below


Machine accounts: the manual approach
As noted, Samba will not allow you to add an entry to the smbpasswd file
(user or
machine) unless there is a existing UNIX account for that user. So the first
step is to
create an entry for the client in /etc/passwd:
Page 18 of 29 Using Samba as a PDC
[root at phoenix root]# /usr/sbin/useradd -g machines -d /dev/null -c "machine
id" -s [root at phoenix root]# passwd -l machine_name$
Changing password for user machine_name$
Locking password for user machine_name$
The first command creates the user machine_name (don't forget the
dollar-sign; it's
required and identifies the entry as a trust account)), as a member of the
group
machines (-g), with no home directory (-d /dev/null), a descriptive entry
(-c; for
example, "Tom's Notebook"), and no shell access (-s /bin/false). The second
command
creates a "secret" for the machine to authenticate against.
With the UNIX account created, we can now add the machine to
/etc/samba/smbpasswd as shown below:
[root at phoenix root]# smbpasswd -a -m machine_name
Added user machine_name$
Two things to note in the above command: One, if you installed Samba under
/usr/local/samba, you'll probably have to provide the complete path (ie,
/usr/local/samba/bin/smbpasswd). Two, when entering the machine_name, do
not append a dollar-sign; it's not required with smbpasswd.
WARNING: Once a trust account has been created on the PDC, it's good policy
to
connect the client ASAP (which, in effect, changes the machine "password"
and syncs
the secret between the server and the client). Until the client formally
connects to the
PDC, the domain is vulnerable to another machine connecting with the same
netbios
name.
Machine accounts: an automated approach
The second approach to creating machine/trust account on the PDC is to allow
Samba
to create them as needed when the client first joins the domain. This little
bit of magic is
accomplished by adding an add user script option to smb.conf. This creates
the
UNIX trust account, and tells Samba to automatically create a corresponding
entry in
smbpasswd. The following is an example of an entry based on a Redhat
distribution:
[global]
...
add user script = /usr/sbin/useradd -d /dev/null -g machines -s /bin/false
-M %u
...
The important thing to note in the above command is that the command to add
users
may vary across operating systems and/or distributions, so tweak
accordingly.

-----Original Message-----
From: Daniel Fenwick [mailto:dfenwick at unr.edu] 
Sent: Tuesday, June 25, 2002 4:01 PM
To: samba at lists.samba.org
Subject: [Samba] Samba PDC, Win9x, 2k, XP domain logon problem

I am running Redhat 6.2 on a Dell PowerEdge 4400 with the Perk 3di Raid
controller.  (That's why still 6.2).  I currently have Samba 2.2.4
installed.  The campus environment is such that my users are spread over 5
subnets, the server has NIC's on 3 of them.  There are other departments
also running work groups on the same subnets.  I have Windows 95, 98, ME, 2k
and XP workstations on the network.  Currently the W9x machines work fine.
The 2k and XP machines can not log in.  I can get them to connect to join
the domain, intermittently, but can not log in once they are joined.  I just
rejoined the domain and get the following log entries when I try joining
(which win2k says was successful) and when I try to log in:

Joining:
[2002/06/25 09:53:54, 0] rpc_server/srv_samr.c:api_samr_set_userinfo(670)
  api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO.
[2002/06/25 09:54:08, 0] rpc_server/srv_netlog_nt.c:get_md4pw(188)
  get_md4pw: Workstation ed-test$: no account in domain

Trying to log in:
[2002/06/25 09:56:49, 0] rpc_server/srv_netlog_nt.c:get_md4pw(188)
  get_md4pw: Workstation ed-test$: no account in domain

The smbpasswd entry for the machine is:
ed-test$:9902:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXX:[

This problem is becoming a major one.  Any suggestions or ideas?

Thanks.

Dan




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list