[Samba] 3.0.7 joining NT4 domain: no go

Denis Vlasenko vda at port.imtp.ilyichevsk.odessa.ua
Fri Oct 1 15:42:44 GMT 2004 

Hi,

I am still wrestling with WinNT4 domain PDC which does not like
a Samba member. I updated PDC to SP6a. I also verified that
this admin username/password indeed can be successfully
used to join an NT workstation to the domain.

I narrowed samba failure down to net join silent failure.
It says "Joined domain PORT" but logs reveal that actually
joining failed.

I did several runs of net join, deleting all samba-generated files
in between. No samba daemons were running while I did joins.
This rules out "stale" data problems between runs. Each time
samba had to create SIDs etc afresh.

Logs of

net -d <N> join -U <admin>

with N=3,4,5,6,7,10 are attached in a tarball.
Log at N=4 is also here inline:

  lp_load: refreshing parameters
  Initialising global parameters
  params.c:pm_process() - Processing configuration file "/usr/app/samba-3.0.7/var/etc/smb.conf"
  Processing section "[global]"
  doing parameter workgroup = PORT
  doing parameter security = domain
  doing parameter password server = PORT_PDC
  doing parameter domain master = no
  doing parameter domain logons = no
  doing parameter preferred master = No
  doing parameter deadtime = 15
  doing parameter create mode = 0644
  doing parameter force create mode = 0400
  doing parameter security mask = 0777
  doing parameter directory mode = 755
  doing parameter force directory mode = 0111
  doing parameter directory security mask = 0777
  doing parameter unix charset = koi8r
  doing parameter display charset = koi8r
  doing parameter dos charset = cp866
  doing parameter name resolve order = wins
  doing parameter wins server = 172.16.42.102
  doing parameter map to guest = Bad User
  doing parameter guest account = guest
  doing parameter guest ok = Yes
  doing parameter null passwords = Yes
  doing parameter template homedir = /home/%D+%U
  doing parameter template shell = /bin/bash
  doing parameter winbind separator = +
  doing parameter idmap uid = 10000-20000
  doing parameter idmap gid = 10000-20000
  doing parameter winbind enum users = yes
  doing parameter winbind enum groups = yes
  doing parameter debuglevel = 3
  doing parameter log file = /usr/app/samba-3.0.7/var/log/samba.all
  doing parameter max log size = 128
  doing parameter debug hires timestamp = yes
  doing parameter debug timestamp = yes
  doing parameter syslog = 0
  doing parameter syslog only = no
  pm_process() returned Yes
  added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0
  resolve_wins: Attempting wins lookup for name PORT_PDC<0x20>
  wins_srv_is_dead: 172.16.42.102 is alive
  wins_srv_is_dead: 172.16.42.102 is alive
  resolve_wins: using WINS server 172.16.42.102 and tag '*'
  nmb packet from 172.16.42.102(137) header: id=22721 opcode=Query(0) response=Yes
      header: flags: bcast=No rec_avail=Yes rec_des=Yes trunc=No auth=Yes
      header: rcode=0 qdcount=0 ancount=1 nscount=0 arcount=0
      answers: nmb_name=PORT_PDC<20> rr_type=32 rr_class=1 ttl=0
      answers   0 char @...*f   hex 4000AC102A66
  Got a positive name query response from 172.16.42.102 ( 172.16.42.102 )

Here it asks for a passwd and I type it in

  Connecting to host=PORT_PDC
  Connecting to 172.16.42.102 at port 445
  error connecting to 172.16.42.102:445 (Connection refused)
  Connecting to 172.16.42.102 at port 139
  Serverzone is -10800
  cli_net_req_chal: LSA Request Challenge from HUNTER to PORT_PDC: 3FC0B63B834A4A69
  cred_session_key
  cred_create
  cli_net_auth2: srv:\\PORT_PDC acct:HUNTER$ sc:2 mc: HUNTER chal CB990D54ACC8BC13 neg: 400701ff
  cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
  just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
  rpc command function failed! (NT_STATUS_ACCESS_DENIED)

What is it trying to do here?

  Connecting to host=PORT_PDC
  Connecting to 172.16.42.102 at port 445
  error connecting to 172.16.42.102:445 (Connection refused)
  Connecting to 172.16.42.102 at port 139
  lsa_io_sec_qos: length c does not match size 8
  cli_net_req_chal: LSA Request Challenge from HUNTER to PORT_PDC: 089765772CD533AB
  cred_session_key
  cred_create
  cli_net_auth2: srv:\\PORT_PDC acct:HUNTER$ sc:2 mc: HUNTER chal 0697244501CE60F1 neg: 400701ff
  cred_create
  cred_assert
  Connecting to host=PORT_PDC
  Connecting to 172.16.42.102 at port 445
  error connecting to 172.16.42.102:445 (Connection refused)
  Connecting to 172.16.42.102 at port 139
  Using cleartext machine password
  cli_net_req_chal: LSA Request Challenge from HUNTER to PORT_PDC: C421DD4EC47FB266
  cred_session_key
  cred_create
  cli_net_auth2: srv:\\PORT_PDC acct:HUNTER$ sc:2 mc: HUNTER chal A796470ABBC5A347 neg: 400701ff
  cred_create
  cred_assert
  return code = 0
Joined domain PORT.

smb.conf is below the sig.

Any thoughts?
--
vda

# Global parameters
[global]

# Authenticate users using given WinNT domain
# - VDA: ok, but you'll need to create UNIX users for each connecting Win one
# (same username as found on PDC)
# Update: [2001/12/07] can't make it accept domain users
# when winbindd is running even if local user exists in /etc/passwd
	workgroup = PORT
	#encrypt passwords = yes
	security = domain
	# needed? Or maybe just use * ?
	password server = PORT_PDC
	domain master = no
	# domain logons = yes: provides the NETLOGON service
	# which only PDC and BDC shall provide.
	# This is a NO-GO for domain member machine. Set to NO.
	domain logons = no


;;;;;;; Browsing
	# force reelection on nmbd startup
	# use with caution, because if there are several such hosts... ouch...
	preferred master = No

;;;;;;; Connections
	# connection timeout, minutes
	deadtime = 15

;;;;;;; File management
	# create mode = (((user_specified) AND cr_mode) OR force_mode)
	create mode = 0644
	force create mode = 0400
	# 0's disallow chmodding of corresponding bits
	security mask = 0777
	# same for dirs
	directory mode = 755
	force directory mode = 0111
	directory security mask = 0777
	#
	unix charset = koi8r
	display charset = koi8r
	dos charset = cp866

;;;;;;; Name resolution
	name resolve order = wins
	wins server = 172.16.42.102

;;;;;;; User management
	map to guest = Bad User
	guest account = guest
	guest ok = Yes
	null passwords = Yes
	template homedir = /home/%D+%U
	template shell = /bin/bash

	winbind separator = +
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind enum users = yes
	winbind enum groups = yes

;;;;;;; Logging
	# Higher numbers = more logging
	# Example: debuglevel = 3 passdb:5 auth:10 winbind:2
	# (all tdb printdrivers lanman smb rpc_parse rpc_srv rpc_cli passdb sam auth winbind vfs idmap)
	debuglevel = 3
	#log file = /usr/app/samba-3.0.7/var/log/samba.%m
	log file = /usr/app/samba-3.0.7/var/log/samba.all
	# in kb. Will rename to *.old when exceeded
	max log size = 128
	debug hires timestamp = yes
	debug timestamp = yes
	#debug pid = yes
	#debug uid = yes
	# Do not log to syslog if message's level is greater than...
	syslog = 0
	# Do not log into files, syslog only?
	syslog only = no

;;;;;;; Shares
[pub]
	path = /pub
	guest only = Yes

[homes]
	path = /
	read only = No
	guest ok = No
	only user = Yes
	# we don't actually want users to see //me/homes ;)
	browseable = No

More information about the samba mailing list