Thomas Vaughan tomva at isilon.com
Fri Oct 25 19:29:58 GMT 2002

Hello all-

Using samba 2.2.5 on FreeBSD 5 (a few months old).

I'm trying to get my FreeBSD box to serve out samba
shares using NT4 domain authentication.  I've got
Win2K PDCs (a couple different domains) running in
mixed mode.

These are the steps I'm taking:

 1) As NT domain administrator, I create machine
    accounts in the domain for my FreeBSD box.

 2) On the FreeBSD box, I set its DNS and domain to
    match the PDC.

 3) On the FreeBSD box, I set smb.conf to allow NT4
    authentication (smb.conf listed below).

 4) On the FreeBSD box, I restart samba with the new
    smb.conf (restart smbd and nmbd).

 5) I use smbpasswd -j <DOMAIN> -r <pdc_hostname> to
    attempt to join the domain.

Step 5 fails, complaining that the FreeBSD client
doesn't trust the PDC (assuming I'm interpreting the
errors correctly).

If I try step 5 with my administrator account, it
works.  However, that's not a good solution for me,
because I need to automate this so that the NT admin
only needs to create machine accounts.

Can anyone tell my why step 5 is failing?  I need to
know what's breaking down in the protocol so I can
detect this in the field and deal with it (either get
it to work or display helpful diagnostics).

I can ping the pdc from my FreeBSD host, and vice-
versa.  My FreeBSD host can resolve the pdc name using
nmbd.  Adding the pdc to lmhosts didn't make any

My smb.conf:
  encrypt passwords = yes
  log file = /var/log/samba.log
  large readwrite = yes
  read size = 65536
  socket options = TCP_NODELAY
  dns proxy = no
  change notify timeout = 3000
  disable spoolss = yes
  smb passwd file = /usr/local/private/smbpasswd
  password server = *
  winbind separator = +
  winbind uid = 10000-20000
  winbind gid = 10000-20000
  winbind enum users = yes
  winbind enum groups = yes
  workgroup = MY_NT_DOMAIN
  server string = My Server rocks.
  hosts allow =
  security = DOMAIN

smbpasswd -j MY_NT_DOMAIN -r <pdc_hostname> spew:

hostname# smbpasswd -j MY_NT_DOMAIN -r <pdc_hostname> -D3
Initialising global parameters
params.c:pm_process() - Processing configuration file 
Processing section "[global]"
added interface ip=<my_ip> bcast=<my_broadcast> nmask=<my_mask>
resolve_lmhosts: Attempting lmhosts lookup for name <pdc_hostname><0x20>
Connecting to <pdc_ip> at port 445
lsa_io_sec_qos: length c does not match size 8
resolve_lmhosts: Attempting lmhosts lookup for name <PDC_HOSTNAME><0x20>
Connecting to <pdc_ip> at port 445
cli_nt_setup_creds: request challenge failed
modify_trust_password: unable to setup the PDC credentials to machine 
2002/10/25 12:25:49 : change_trust_account_password: Failed to change 
password for domain MY_NT_DOMAIN.
Unable to join domain MY_NT_DOMAIN.

Other diagnostics:

hostname# wbinfo -p
'ping' to winbindd succeeded

hostname# wbinfo -t
Secret is bad

wbinfo -u and -g both work!  I can see domain users
and groups.  But my FreeBSD box can't join the domain.

More information about the samba mailing list