[Samba] [help] Can't Join Samba 2.2.3a to TNG+LDAP

Walter Vendraminetto vendra at inwind.it
Wed Feb 26 12:59:33 GMT 2003 

I need to join my Samba 2.2.3a to a TNG Domain (which stores users and
machines account into OpenLDAP) using it as a password server.

Provided that TNG is working fine in authenticating users on W2K machines,
once they are logged in they should (in my intentions) see Samba 2.2.3a
shares. In order to do this I provided the following configuration for
Samba:

workstation = <tng_domain>
security = DOMAIN
password server = <tng_server>
encrypt password = yes

Then i inserted a trust relationshhip into LDAP just like the trusts for the
W2K machines.
When I perform the join:

smbpasswd -j <tng_domain> -r <tng_server> -D 4

the error issued is the following (Essentially a NT_STATUS_ACCESS_DENIED):
----------------------------------------------------
arena:[root]# smbpasswd -j LABSCIENZEMFN -r LDAPS  -D 4

added interface ip=157.27.241.10 bcast=157.27.241.255 nmask=255.255.255.0
resolve_lmhosts: Attempting lmhosts lookup for name LDAPS<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost 
getlmhostsent: lmhost entry: 157.27.241.11 LDAPS 
Connecting to 157.27.241.11 at port 445
error connecting to 157.27.241.11:445 (Connection refused)
Connecting to 157.27.241.11 at port 139
bind_rpc_pipe: pipe_name \PIPE\lsass != expected pipe \PIPE\lsarpcd.  oh
well!
resolve_lmhosts: Attempting lmhosts lookup for name LDAPS<0x20>
getlmhostsent: lmhost entry: 127.0.0.1 localhost 
getlmhostsent: lmhost entry: 157.27.241.11 LDAPS 
Connecting to 157.27.241.11 at port 445
error connecting to 157.27.241.11:445 (Connection refused)
Connecting to 157.27.241.11 at port 139
bind_rpc_pipe: pipe_name \PIPE\lsass != expected pipe \PIPE\netlogond.  oh
well!
cli_net_req_chal: LSA Request Challenge from LDAPS to ARENA:
ED99CD85CA9053A9
cred_session_key
cred_create
cli_net_auth2: srv:\\LDAPS acct:ARENA$ sc:2 mc: ARENA chal BEA9F4F74576C1C9
neg: 1ff
cred_create
cred_assert
cred_create
cli_net_srv_pwset: srv:\\LDAPS acct:ARENA$ sc: 2 mc: ARENA clnt
D2D6DF1B812CFF7E 3e5ca8f5
cli_net_srv_pwset: NT_STATUS_ACCESS_DENIED
modify_trust_password: unable to change password for machine ARENA in domain
LABSCIENZEMFN to Domain controller LDAPS. Error was SUCCESS - 0.
2003/02/26 12:45:57 : change_trust_account_password: Failed to change
password for domain LABSCIENZEMFN.
Unable to join domain LABSCIENZEMFN.
----------------------------------------------------

In your opinion, WHY?
How does the machine password works? 
The Administrator user is available in the <tng_server> as valid user
[uid=0(Administrator) gid=0(root) groups=0(root)] .

The trust account has the following attrs.
dn: cn=arena$, ou=NTMachine, ou=Samba, ou=Scienze, dc=univr,dc=it
pwdMustChange: 00000000
ntPassword: 8C97CD9A365825486806F43221CE1344
lmPassword: B874DAD114582F99AAD3B435B51404EE
uidNumber: 3556
pwdLastSet: 00000000
uid: arena$
objectClass: sambaAccount
objectClass: top
objectClass: account
script: dummy.bat
ntuid: arena$
acctFlags: [W ]
cn: arena$
description: Samba Machine Account
rid: de4
pwdCanChange: 00000000
grouprid: 201

More information about the samba mailing list