[Samba] XP gives Access denied for domain logon - solved, but with new problem

Frode Lillerud frode at lillerud.no
Sat Mar 27 11:30:53 GMT 2004 

I found the solution to the Access Denied errormessage.

When I change my computer from workgroup to domain I have to use user
root when giving username and password. I used frode, a non priviliged
user, and that’s why it failed.

I still have another problem though. When I try to log on with user anna
on my laptop it works fine, but if I try user anna on my stationary, or
user frode on either computer I get the message 
"A device attached to the system is not functioning." It seems like it's
talking to the PDC, cause if I give the wrong password it gives the
usual errormessage for bad password.

The samba logfile reports, among others:
Failed to do schannel processing
Authentication for user frode succeeded
The conflicting domain portions are not supported for NETLOGON calls
Failed to decode PDU

Has anyone seen that windows errormessage before, or know that the
logfile lines mean?

Frode
System Administrator

|-----Original Message-----
|From: Radio Gong 2000 GmbH & Co. KG [Technik]
|[mailto:sascha.bieler at radiogong.de]
|Sent: 26. mars 2004 20:15
|To: Frode Lillerud
|Subject: Re: [Samba] XP gives Access denied for domain logon
|
|Try to set
|
|server schannel = Yes
|server signing = No
|
|in globals section....
|
|Am Freitag, 26. März 2004 19:33 schrieben Sie:
|> I tried adding the SIGN-OR-SEAL patch (WinXP_SignOrSeal.reg - thanks
|> Sascha), but I still get the same "Access Denied" when I try to
change
|> from Workgroup to Domain, and log on from my desktop machine.
|>
|> I've also tried to log on with the new user (frode) from my laptop,
but
|> get the message: "A device attached to the system is not
functioning."
|> As I wrote earlier I have a working another domain user (anna) on the
|> laptop, but am unsuccessful in adding more.
|>
|> Any more suggestions? Could it be something with using a
samba-command
|> to add the machine?
|>
|> Frode
|> System Administrator
|>
|> |-----Original Message-----
|> |From: samba-bounces+samba=lillerud.no at lists.samba.org [mailto:samba-
|> |bounces+samba=lillerud.no at lists.samba.org] On Behalf Of Radio Gong
2000
|> |GmbH & Co. KG [Technik]
|> |Sent: 26. mars 2004 10:29
|> |To: samba at lists.samba.org
|> |Subject: Re: [Samba] XP gives Access denied for domain logon
|> |
|> |Did you apply the SIGN-OR-SEAL-Patch for the registry?
|> |
|> |Am Freitag, 26. März 2004 10:21 schrieb Frode Lillerud:
|> |> Samba 3.0.2a-Debian
|> |>
|> |> I have a somewhat working PDC server, but have some difficulties
|>
|> adding
|>
|> |> more users. I managed to create a user, anna, a couple of days
ago,
|>
|> it
|>
|> |> she works fine from my wireless laptop.
|> |>
|> |> To sort out some problems I have with the logon.bat script [see
|> |> sambalist "Netlogon script executes randomly"], I am also
including
|>
|> my
|>
|> |> desktop computer to the domain.
|> |>
|> |> I've run the following commands on the server:
|> |> useradd -m -k /home/samba/skeleton/ -d /home/samba/frode -g users
-s
|> |> /bin/false frode
|> |> and
|> |> smbpasswd -a frode
|> |> and
|> |> net groupmap modify ntgroup="Domain Users" unixgroup=users
|> |>
|> |> When I switch the XP computer from workgroup to domain I get a
popup
|>
|> box
|>
|> |> for username/password for the domain. Here I write username frode,
|>
|> and
|>
|> |> the password I set with smbpasswd.
|> |>
|> |> XP responds with a "Access denied" message.
|> |>
|> |> The samba logfile says:
|> |> [2004/03/26 10:16:02, 2] auth/auth.c:check_ntlm_password(305)
|> |>   check_ntlm_password:  authentication for user [frode] -> [frode]
->
|> |> [frode] succeeded
|> |> [2004/03/26 10:16:03, 2]
|> |> rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
|> |>   Returning domain sid for domain ISENGARD ->
|> |> S-1-5-21-2641962930-4089608471-2571597100
|> |> [2004/03/26 10:16:03, 2]
|> |> rpc_server/srv_samr_nt.c:access_check_samr_object(93)
|> |>   _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
|> |> [2004/03/26 10:16:03, 2]
|> |> rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461)
|> |>   Returning domain sid for domain ISENGARD ->
|> |> S-1-5-21-2641962930-4089608471-2571597100
|> |> [2004/03/26 10:16:03, 2]
|> |> rpc_server/srv_samr_nt.c:access_check_samr_function(115)
|> |>   _samr_create_user: ACCESS DENIED (granted: 0x00000201;
required:
|> |> 0x00000010)
|> |> [2004/03/26 10:16:03, 2] smbd/server.c:exit_server(558)
|> |>   Closing connections
|> |>
|> |> My smb.conf:
|> |> # Setting up Samba 3.0 as a Primary Domain Controller
|> |>
|> |> [global]
|> |>     # Server settings
|> |>     netbios name = sauroman
|> |>     workgroup = ISENGARD
|> |>     server string = Testing PDC
|> |>     security = user
|> |> #   guest account = smbguest
|> |>     encrypt passwords = yes
|> |>
|> |>     # PDC settings
|> |>     domain logons = yes
|> |>     logon script = newlog.bat
|> |>
|> |>     # Browser and WINS settings
|> |>     domain master = yes
|> |>     local master = yes
|> |>     preferred master = yes
|> |>     os level = 255
|> |>     wins support = yes
|> |>
|> |>     # Other services
|> |>     time server = yes
|> |>
|> |>     # Debugging and Logging
|> |>     log level = 2
|> |>     log file = /tmp/samba_%m.log
|> |>     max log size = 1000 #1MB
|> |>     debug timestamp = yes
|> |>     syslog = 1
|> |>
|> |> [netlogon]
|> |>     path = /var/lib/samba/netlogon
|> |>     browseable = yes
|> |>     writable = yes # set this to no again!
|> |>
|> |> [homes]
|> |>     comment = Home for %u
|> |>     writeable = yes
|> |>     browseable = no
|> |> ;   map archive = yes   ;?
|> |
|> |--
|> |Mit freundlichen Grüssen
|> |
|> |Sascha Bieler
|> |_______________________________________________
|> |Radio Gong 2000 GmbH & Co. KG
|> |Sascha Bieler
|> |Technischer Leiter
|> |Franz-Joseph-Strasse 14
|> |80801 München
|> |
|> |Tel.: +49 89 38 166 181
|> |Fax.: +49 89 38 166 180
|> |--
|> |To unsubscribe from this list go to the following URL and read the
|> |instructions:  http://lists.samba.org/mailman/listinfo/samba
|
|--
|Mit freundlichen Grüssen
|
|Sascha Bieler
|_______________________________________________
|Radio Gong 2000 GmbH & Co. KG
|Sascha Bieler
|Technischer Leiter
|Franz-Joseph-Strasse 14
|80801 München
|
|Tel.: +49 89 38 166 181
|Fax.: +49 89 38 166 180

More information about the samba mailing list