[Samba] Problem joining NT 4 PDC

Andres Gomez Garcia agomez at igalia.com
Thu Aug 14 09:48:31 GMT 2003 

Hi!

I'm trying to use Winbind to authenticate users through a NT 4.0
Terminal Server (EINFANTIL) acting as the PDC of the domain
RED_EINFANTIL.

That's my smb.conf

[global]
        winbind separator = +
        winbind cache time = 10
        template shell = /bin/bash
        template homedir = /home/%U
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        workgroup = RED_EINFANTIL
        security = domain
        winbind used default domain = yes
        password server = *
        log level = 0
        encrypt passwords = yes


I join my linux box to the Domain with:

nc0:~# net join -S EINFANTIL -U Administrator
[2003/08/14 11:17:11, 1] param/loadparm.c:lp_do_parameter(3114)
  WARNING: The "winbind uid" option is deprecated
[2003/08/14 11:17:11, 1] param/loadparm.c:lp_do_parameter(3114)
  WARNING: The "winbind gid" option is deprecated
[2003/08/14 11:17:11, 0] param/loadparm.c:map_parameter(2388)
  Unknown parameter encountered: "winbind used default domain"
[2003/08/14 11:17:11, 0] param/loadparm.c:lp_do_parameter(3108)
  Ignoring unknown parameter "winbind used default domain"
Administrator password: 
Joined domain RED_EINFANTIL.



Winbind sees users and groups:


nc0:~# wbinfo -u
RED_EINFANTIL+Administrator
RED_EINFANTIL+Guest
RED_EINFANTIL+IUSR_EINFANTIL
RED_EINFANTIL+IWAM_EINFANTIL
RED_EINFANTIL+NSM_NFSROOT
RED_EINFANTIL+NSMNFS_User
RED_EINFANTIL+usuario


nc0:~# wbinfo -g
RED_EINFANTIL+Domain Admins
RED_EINFANTIL+Domain Guests
RED_EINFANTIL+Domain Users



but...



nc0:~# wbinfo -t
Secret is bad
0xc00000e5







I see my linux box added in the Server Manager tool from the NT 4, but
when I try to log in (I use pam_winbind.so) with the existent Domain
user RED_EINFANTIL+usuario...

nc0:~# winbindd -i
Unknown parameter encountered: "winbind used default domain"
Ignoring unknown parameter "winbind used default domain"
load_client_codepage: filename /usr/share/samba/codepages/codepage.850
does not exist.
load_unicode_map: filename /usr/share/samba/codepages/unicode_map.850
does not exist.
load_unicode_map: filename
/usr/share/samba/codepages/unicode_map.ISO8859-1 does not exist.



domain_client_validate: could not fetch trust account password for
domain RED_EINFANTIL

I have deleted so many times the workstation from the Server Manager and
the file secrets.tdb I don't remember.

If I debug SAMBA ->

nc0:~# net join -S EINFANTIL -U Administrator
[2003/08/14 11:35:05, 1] param/loadparm.c:lp_do_parameter(3114)
  WARNING: The "winbind uid" option is deprecated
[2003/08/14 11:35:05, 1] param/loadparm.c:lp_do_parameter(3114)
  WARNING: The "winbind gid" option is deprecated
[2003/08/14 11:35:05, 0] param/loadparm.c:map_parameter(2388)
  Unknown parameter encountered: "winbind used default domain"
[2003/08/14 11:35:05, 0] param/loadparm.c:lp_do_parameter(3108)
  Ignoring unknown parameter "winbind used default domain"
[2003/08/14 11:35:06, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.1.69 bcast=192.168.1.255
nmask=255.255.255.0
Administrator password: 
[2003/08/14 11:35:11, 1] utils/net_ads.c:ads_startup(176)
  ads_connect: El otro extremo de la conexión no está conectado
[2003/08/14 11:35:11, 3] libsmb/cliconnect.c:cli_full_connection(1265)
  Connecting to host=EINFANTIL share=IPC$
[2003/08/14 11:35:11, 3] lib/util_sock.c:open_socket_out(676)
  Connecting to 192.168.1.100 at port 445
[2003/08/14 11:35:12, 2] lib/util_sock.c:open_socket_out(705)
  error connecting to 192.168.1.100:445 (Conexión rehusada)
[2003/08/14 11:35:12, 3] lib/util_sock.c:open_socket_out(676)
  Connecting to 192.168.1.100 at port 139
[2003/08/14 11:35:12, 3]
rpc_client/cli_netlogon.c:cli_nt_setup_creds(283)
  cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2003/08/14 11:35:12, 3]
libsmb/trusts_util.c:just_change_the_password(44)
  just_change_the_password: unable to setup creds
(NT_STATUS_ACCESS_DENIED)!
[2003/08/14 11:35:12, 1] utils/net_rpc.c:run_rpc_command(154)
  rpc command function failed! (NT_STATUS_ACCESS_DENIED)
[2003/08/14 11:35:12, 3] libsmb/cliconnect.c:cli_full_connection(1265)
  Connecting to host=EINFANTIL share=IPC$
[2003/08/14 11:35:12, 3] lib/util_sock.c:open_socket_out(676)
  Connecting to 192.168.1.100 at port 445
[2003/08/14 11:35:12, 2] lib/util_sock.c:open_socket_out(705)
  error connecting to 192.168.1.100:445 (Conexión rehusada)
[2003/08/14 11:35:12, 3] lib/util_sock.c:open_socket_out(676)
  Connecting to 192.168.1.100 at port 139
[2003/08/14 11:35:13, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(186)
  lsa_io_sec_qos: length c does not match size 8
[2003/08/14 11:35:13, 3] libsmb/cliconnect.c:cli_full_connection(1265)
  Connecting to host=EINFANTIL share=IPC$
[2003/08/14 11:35:13, 3] lib/util_sock.c:open_socket_out(676)
  Connecting to 192.168.1.100 at port 445
[2003/08/14 11:35:13, 2] lib/util_sock.c:open_socket_out(705)
  error connecting to 192.168.1.100:445 (Conexión rehusada)
[2003/08/14 11:35:13, 3] lib/util_sock.c:open_socket_out(676)
  Connecting to 192.168.1.100 at port 139
Joined domain RED_EINFANTIL.
[2003/08/14 11:35:13, 2] utils/net.c:main(668)
  return code = 0




And....



[  380]: getpwnam RED_EINFANTIL+usuario
CACHESEQ RED_EINFANTIL/USR/usuario is 4294967295
resolve_lmhosts: Attempting lmhosts lookup for name RED_EINFANTIL<0x1c>
resolve_wins: Attempting wins lookup for name RED_EINFANTIL<0x1c>
resolve_wins: WINS server resolution selected and no WINS servers
listed.
name_resolve_bcast: Attempting broadcast lookup for name
RED_EINFANTIL<0x1c>
bind succeeded on port 0
Got a positive name query response from 192.168.1.100 ( 192.168.1.100 )
bind succeeded on port 0
resolve_lmhosts: Attempting lmhosts lookup for name EINFANTIL<0x20>
resolve_hosts: Attempting host lookup for name EINFANTIL<0x20>
resolve_wins: Attempting wins lookup for name EINFANTIL<0x20>
resolve_wins: WINS server resolution selected and no WINS servers
listed.
name_resolve_bcast: Attempting broadcast lookup for name EINFANTIL<0x20>
bind succeeded on port 0
Got a positive name query response from 192.168.1.100 ( 192.168.1.100 )
IPC$ connections done anonymously
Connecting to 192.168.1.100 at port 445
error connecting to 192.168.1.100:445 (Connection refused)
Connecting to 192.168.1.100 at port 139
seq 4294967295 for RED_EINFANTIL has expired (not == 147)
CACHESEQ RED_EINFANTIL/SID/RED_EINFANTIL\usuario is 4294967295
cached sequence number for RED_EINFANTIL is 147
seq 4294967295 for RED_EINFANTIL has expired (not == 147)
cached sequence number for RED_EINFANTIL is 147
cached sequence number for RED_EINFANTIL is 147
cached sequence number for RED_EINFANTIL is 147
[  380]: pam auth RED_EINFANTIL+usuario
domain_client_validate: User passwords not in encrypted format.
domain_client_validate: could not fetch trust account password for
domain RED_EINFANTIL
[  380]: getpwnam RED_EINFANTIL+usuario
CACHESEQ RED_EINFANTIL/USR/usuario is 147
cached sequence number for RED_EINFANTIL is 147
[  380]: getpwnam RED_EINFANTIL+usuario
CACHESEQ RED_EINFANTIL/USR/usuario is 147
cached sequence number for RED_EINFANTIL is 147
[  380]: getpwnam RED_EINFANTIL+usuario
CACHESEQ RED_EINFANTIL/USR/usuario is 147
cached sequence number for RED_EINFANTIL is 147



I think, my linux box don't save the password from the negotiation?
I don't know but it regenerates secrets.tdb every time I join to the
domain.


In the event viewer from the NT, every time a try to join the domain
appears the 5723 event and every time I try to rejoin appears the 5722
event


Help, please!
-- 
Andrés Gómez García
Ingeniero en Informática
Telf:  +34 981 91 39 91
Fax:   +34 981 91 39 49
mailto:agomez at igalia.com
IGALIA, S.L. http://www.igalia.com

More information about the samba mailing list