[Samba] 3.0.7 joining NT4 domain: no go
Denis Vlasenko
vda at port.imtp.ilyichevsk.odessa.ua
Fri Oct 1 15:42:44 GMT 2004
Hi,
I am still wrestling with WinNT4 domain PDC which does not like
a Samba member. I updated PDC to SP6a. I also verified that
this admin username/password indeed can be successfully
used to join an NT workstation to the domain.
I narrowed samba failure down to net join silent failure.
It says "Joined domain PORT" but logs reveal that actually
joining failed.
I did several runs of net join, deleting all samba-generated files
in between. No samba daemons were running while I did joins.
This rules out "stale" data problems between runs. Each time
samba had to create SIDs etc afresh.
Logs of
net -d <N> join -U <admin>
with N=3,4,5,6,7,10 are attached in a tarball.
Log at N=4 is also here inline:
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/usr/app/samba-3.0.7/var/etc/smb.conf"
Processing section "[global]"
doing parameter workgroup = PORT
doing parameter security = domain
doing parameter password server = PORT_PDC
doing parameter domain master = no
doing parameter domain logons = no
doing parameter preferred master = No
doing parameter deadtime = 15
doing parameter create mode = 0644
doing parameter force create mode = 0400
doing parameter security mask = 0777
doing parameter directory mode = 755
doing parameter force directory mode = 0111
doing parameter directory security mask = 0777
doing parameter unix charset = koi8r
doing parameter display charset = koi8r
doing parameter dos charset = cp866
doing parameter name resolve order = wins
doing parameter wins server = 172.16.42.102
doing parameter map to guest = Bad User
doing parameter guest account = guest
doing parameter guest ok = Yes
doing parameter null passwords = Yes
doing parameter template homedir = /home/%D+%U
doing parameter template shell = /bin/bash
doing parameter winbind separator = +
doing parameter idmap uid = 10000-20000
doing parameter idmap gid = 10000-20000
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter debuglevel = 3
doing parameter log file = /usr/app/samba-3.0.7/var/log/samba.all
doing parameter max log size = 128
doing parameter debug hires timestamp = yes
doing parameter debug timestamp = yes
doing parameter syslog = 0
doing parameter syslog only = no
pm_process() returned Yes
added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0
resolve_wins: Attempting wins lookup for name PORT_PDC<0x20>
wins_srv_is_dead: 172.16.42.102 is alive
wins_srv_is_dead: 172.16.42.102 is alive
resolve_wins: using WINS server 172.16.42.102 and tag '*'
nmb packet from 172.16.42.102(137) header: id=22721 opcode=Query(0) response=Yes
header: flags: bcast=No rec_avail=Yes rec_des=Yes trunc=No auth=Yes
header: rcode=0 qdcount=0 ancount=1 nscount=0 arcount=0
answers: nmb_name=PORT_PDC<20> rr_type=32 rr_class=1 ttl=0
answers 0 char @...*f hex 4000AC102A66
Got a positive name query response from 172.16.42.102 ( 172.16.42.102 )
Here it asks for a passwd and I type it in
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
Serverzone is -10800
cli_net_req_chal: LSA Request Challenge from HUNTER to PORT_PDC: 3FC0B63B834A4A69
cred_session_key
cred_create
cli_net_auth2: srv:\\PORT_PDC acct:HUNTER$ sc:2 mc: HUNTER chal CB990D54ACC8BC13 neg: 400701ff
cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
rpc command function failed! (NT_STATUS_ACCESS_DENIED)
What is it trying to do here?
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
lsa_io_sec_qos: length c does not match size 8
cli_net_req_chal: LSA Request Challenge from HUNTER to PORT_PDC: 089765772CD533AB
cred_session_key
cred_create
cli_net_auth2: srv:\\PORT_PDC acct:HUNTER$ sc:2 mc: HUNTER chal 0697244501CE60F1 neg: 400701ff
cred_create
cred_assert
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
Using cleartext machine password
cli_net_req_chal: LSA Request Challenge from HUNTER to PORT_PDC: C421DD4EC47FB266
cred_session_key
cred_create
cli_net_auth2: srv:\\PORT_PDC acct:HUNTER$ sc:2 mc: HUNTER chal A796470ABBC5A347 neg: 400701ff
cred_create
cred_assert
return code = 0
Joined domain PORT.
smb.conf is below the sig.
Any thoughts?
--
vda
# Global parameters
[global]
# Authenticate users using given WinNT domain
# - VDA: ok, but you'll need to create UNIX users for each connecting Win one
# (same username as found on PDC)
# Update: [2001/12/07] can't make it accept domain users
# when winbindd is running even if local user exists in /etc/passwd
workgroup = PORT
#encrypt passwords = yes
security = domain
# needed? Or maybe just use * ?
password server = PORT_PDC
domain master = no
# domain logons = yes: provides the NETLOGON service
# which only PDC and BDC shall provide.
# This is a NO-GO for domain member machine. Set to NO.
domain logons = no
;;;;;;; Browsing
# force reelection on nmbd startup
# use with caution, because if there are several such hosts... ouch...
preferred master = No
;;;;;;; Connections
# connection timeout, minutes
deadtime = 15
;;;;;;; File management
# create mode = (((user_specified) AND cr_mode) OR force_mode)
create mode = 0644
force create mode = 0400
# 0's disallow chmodding of corresponding bits
security mask = 0777
# same for dirs
directory mode = 755
force directory mode = 0111
directory security mask = 0777
#
unix charset = koi8r
display charset = koi8r
dos charset = cp866
;;;;;;; Name resolution
name resolve order = wins
wins server = 172.16.42.102
;;;;;;; User management
map to guest = Bad User
guest account = guest
guest ok = Yes
null passwords = Yes
template homedir = /home/%D+%U
template shell = /bin/bash
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
;;;;;;; Logging
# Higher numbers = more logging
# Example: debuglevel = 3 passdb:5 auth:10 winbind:2
# (all tdb printdrivers lanman smb rpc_parse rpc_srv rpc_cli passdb sam auth winbind vfs idmap)
debuglevel = 3
#log file = /usr/app/samba-3.0.7/var/log/samba.%m
log file = /usr/app/samba-3.0.7/var/log/samba.all
# in kb. Will rename to *.old when exceeded
max log size = 128
debug hires timestamp = yes
debug timestamp = yes
#debug pid = yes
#debug uid = yes
# Do not log to syslog if message's level is greater than...
syslog = 0
# Do not log into files, syslog only?
syslog only = no
;;;;;;; Shares
[pub]
path = /pub
guest only = Yes
[homes]
path = /
read only = No
guest ok = No
only user = Yes
# we don't actually want users to see //me/homes ;)
browseable = No
More information about the samba
mailing list