[Samba] Computer accounts & Win2K

Bradley W. Langhorst brad at langhorst.com
Fri Mar 29 10:10:03 GMT 2002


On Fri, 2002-03-29 at 12:19, mdt-tech-mailbox at shaw.ca wrote:
> Hi all,
> 
> I've seen a good number of posts over the last while relating to 
> problems with Win2K clients being unable to authenticate users to a 
> Samba 2.2.x PDC (user level security with encrypted passwords) 
> because "the system's computer account in its primary domain is missing 
> or the password on that account is incorrect".  So far I have not run 
> across any solutions.
> 
> It seems that in all cases the computer accounts have been created 
> *correctly* on the unix machine using first useradd then smbpasswd as 
> described in the Samba documentation.
> 
> Adding the computers to the domain (system properties -> network ID -> 
> properties) seems to work:  the user is prompted for a username and 
> password with privileges sufficient to change the computer name in the 
> domain, then is informed that a reboot is required for the changes to 
> take effect.  After reboot, however, the above error message is 
> displayed when an attempt is made to log a user (any user, including 
> root) on to the domain.  *No* log info is generated by the Samba server.
> 
> Since I have seen no responses whatsoever to any of the posts about 
> this issue, I have two specific questions which might help me to 
> identify the problem myself:
> 
> 1. What is meant by the computer's *primary* domain?
the primary domain controller is that server that 
is the authoritative source for windows user information.
Microsoft has the concept of backup domain controllers that 
serve to balance load and allow authentication when the PDC is
unavailable.  I think that samba can only act as a PDC right now.
> 2. What *exactly* transpires when (a) one changes the name of a Win2K 
> client in the domain (ie. adds the *machine* to the domain) and (b) 
> when a user attempts to logon to a domain from a Win2K machine that has 
> a valid machine account in the domain?
a) samba will run whatever is in "add user script" in my case
/usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u
and should create the machine account in /etc/smbpasswd
take a look there for your machine  (ending with a $)
(also be sure it is in /etc/passwd and /etc/shadow if you use shadow 
passwords)

b) samba checks that the user is valid etc.
take a look at the samba howto collection for more info on this

you also need that signorseal registry patch to log in against a samba
PDC.

brad






More information about the samba mailing list