[Samba] Samba 2.2.5-1 problems joining domain - W2K PDC

Aaron D. lists at aaronsplace.org
Mon Sep 9 18:32:00 GMT 2002 

OK Ladies and Gentlemen I could use a hand on this one.  I'm new to the 
list, so please excuse me if I violate a protocol which is as yet unknown 
to me.  However I am having some problems that seem to be beyond my 
abilities to find a solution to.  Any help would be greatly appreciated.

Technical Info:
LINUX Box is a Red Hat 7.1 Kernel version is 2.4.9-34.  Samba version(S) 
that I am working with are 2.2.5-1 (Red Hat Binary RPM downloaded from 
samba.org) and 2.0.10-2 (from Red Hat's site).

Windows 2000 Advanced Server SP2 (SP3 was applied, and then 
removed).  Since the application of SP3, and the subsequent removal I've 
restored from tape returning to PRE SP3 operations completely with no 
change in results.  PDC - Native mode.

Course of events:
I had Samba 2.0.10-2 up and running perfectly fine as a domain member 
(security=domain) and all was well.  I read up on the latest Samba release, 
and decided I wanted to give it a try, utilizing the new winbind appliance.

I researched briefly on the Red Hat site, and determined that they did not 
have anything above 2.0.10-2 available "packaged" for my version of Red 
Hat.  A quick trip to Samba.org produced a ready to roll rpm, and all was 
well.  I've made complete backups of my /etc/samba directory, and the 
Windows 2000 server before any changes were made.

After performing a complete un install of the existing Samba version, and 
installing the new package, I found that I was unable to get the Samba 
re-joined to the domain.  Items checked and verified:
I've verified more then once that the "Pre-windows 2000" box is checked 
when adding the machine account on the PDC.
I've double and tipple checked the account credentials used with the 
smbpasswd join command.
I've verified my syntax is correct
lmhosts and hosts files have proper entries
W2K wins server is up and has correct records
smb.conf has Samba pointed in the correct direction for the WINS server on 
the W2K box.
nmblookup is able to resolve the server, and domain correctly and as expected.

When I run the smbpasswd -j DOM -R SERVER -A user I am prompted for the 
password.  With Version 2.2.5-1 I receive the expected message that the 
domain was joined, and a quick check reveals that the secrets.tdb is 
created and in the proper location. Ownership and group are both root, with 
only root having rw access. I am able to enumerate groups and users from 
the domain using wbinfo -u or -g, and getent does reveal domain users and 
groups as well.  However, no users or groups are able to authenticate into 
the Samba server, despite what I believe to be correct pam.d settings. 
Message examples will appear below from logs.

With Version 2.0.10-2 I run the same command, however I receive an error 
message, and am told that it was unable to join the domain.   The 
MACHINE.SID is created, and matches the record in the W2K registry, however 
the DOM.MACH.mac is not created.


The most common message that I see in the log.smdb is:

smbd/password.c:connect_to_domain_password_server(1328)
   connect_to_domain_password_server: machine SERVER rejected the tconX on 
the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED.

This is the message I receive with 2.0.10 when I try to join the domain:

modify_trust_password: machine SERVER rejected the tconX on the IPC$ share. 
Error was : ERRDOS - ERRnoaccess.
2002/09/09 10:45:34 : change_trust_account_password: Failed to change 
password for domain DOMAIN.
Unable to join domain DOMAIN.

Of course, the machine account is fresh and new on each attempt.  It's 
deleted, and the server rebooted before it is re-added.  I've also tried 
never before used machine account names with the same result.  I've read on 
a couple of different sites that M$ added some new RPC calls via W2K SP2 
which were not supported by pre 2.2 Samba.  However what is it that I am 
running into with the 2.2.x versions?

Any thoughts, suggestions or questions are welcome and 
appreciated.  Obviously I could roll back to a working configuration from 
my tape backups, however I am not one who's mind lends it's self well to 
going backwards and "just getting it working."

Thank you all for your time and suggestions.

Aaron

More information about the samba mailing list