[Samba] Samba 3.0.2 PDC Setup: cannot join W2k machine -SAMR_SET_USERINFO fails (fixed!)

Erik Anderson erikba at teamworkgroup.com
Sun Jul 11 22:47:06 GMT 2004


Okay, did a lot of source code tracing today, and found my error.

The following attributes are required of any account used to join a machine
against a samba PDC:

* Primary group must correspond to "Domain Administrators"
(S-1-5-21-xxx-yyy-zzz-512)
* Secondary group must correspond to "Administrators" (S-1-5-32-544)
* The username must be specified in smb.conf under [global] "admin users".

----- Original Message ----- 
From: "Erik Anderson" <erikba at teamworkgroup.com>
To: <samba at lists.samba.org>
Sent: Sunday, July 11, 2004 2:49 AM
Subject: [Samba] Samba 3.0.2 PDC Setup: cannot join W2k
machine -SAMR_SET_USERINFO fails


Okay, this is near the end of a marathon day trying to get this linux
machine up and running as a PDC.  At this point I am unable to get a Windows
2K machine to join the domain, it responds with "Logon failure: unknown user
name or bad password".  Samba log shows the following:

rpc_server/srv_samr_nt.c: _samr_set_userinfo(2937)
 _samr_set_userinfo: 2937
rpc_server/src_lsa_hnd.c:find_policy_by_hnd_internal(162)
 Found policy hnd[0] [000] 00 00 00 00 08 00 00 00  00 00 00 00 32 FA F0 40
  [010] BF 22 00 00
rpc_server/srv_samr_nt.c:access_check_samr_function(106)
 _samr_set_userinfo: access check ((granted: 0x000000b0;
required:0x00000024)
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
  _samr_set_userinfo: ACCESS DENIED (granted: 0x000000b0;  required:
0x00000024)
rpc_parse/parse_prs.c:prs_debug(82)
  000000 samr_io_r_set_userinfo
rpc_parse/parse_prs.c:prs_ntstatus(665)
     0000 status: NT_STATUS_ACCESS_DENIED

The log appears to show that the machine account was established properly,
but failed when the server was attempting to set a password?  Google pulls
up only one hit:
http://lists.samba.org/archive/samba/2003-December/076951.html

This is a Debian box ("testing" distribution), samba package is 3.0.2a-1
(modified to enable LDAP).

The user I am attempting to add the machine with is named Administrator,
which is a normal user (uid=3011, rid=7000) that has a primary group of
"Domain Admins" (gid=3011, sid=<SID>-512) and a secondary group of
"Administrators" (gid=3002, sid="S-1-5-32-544")

FYI, As a strange side effect of my installation, I had to modify the
samba.schema that came with the package, as the compiled output was
demanding to use the "historical schema".  Don't know if it has anything to
do with this issue, but I'm throwing it out there for additional
information.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba



More information about the samba mailing list