[Samba] 3.0.7 net join to NT4 domain - silently fails?
Denis Vlasenko
vda at port.imtp.ilyichevsk.odessa.ua
Thu Sep 23 08:41:34 GMT 2004
I've got no responce to my mail with subject
'samba 3.0.7 cannot join NT4 domain', so I dug deeper.
I also read carefully these docs:
swat/help/Samba-HOWTO-Collection/domain-member.html
swat/help/Samba-HOWTO-Collection/winbind.html
This is what I observe:
1.I srtart from clean state:
PDC has no HUNTER machine account (chkd with L0phtcrack)
HUNTER has empty var/{lock,private}
samba daemons are stopped, logs are deleted.
2.I run:
# net join -U domadmin%password
Joined domain PORT.
l0phtcrack and SrvMgr show hunter$ now. (grayed out "WinNT wks or server")
However, I have a msg in PDC security log (traslation from Russian):
"Session with computer HUNTER is not established, because this
computer has no trust record in SAM database."
AFAIK, this is bad. Joining the domain must store
machine trust record in PDC's SAM. PDC says it is not there.
Let's test winbindd anyway.
3.Starting winbindd. Log:
* Starting
winbindd version 3.0.7 started.
Copyright The Samba Team 2000-2004
Processing section "[pub]"
Processing section "[homes]"
WARNING: The "only user" option is deprecated
adding IPC service
adding IPC service
added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0
added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
add_trusted_domain: PORT is an NT4 domain
Added domain PORT S-0-0
resolve_wins: Attempting wins lookup for name PORT<0x1c>
resolve_wins: using WINS server 172.16.42.102 and tag '*'
Got a positive name query response from 172.16.42.102 ( 172.16.42.102 172.16.42.102 )
rpc_dc_name: Returning DC PORT_PDC (172.16.42.102) for domain PORT
IPC$ connections done anonymously
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
bind_rpc_pipe: transfer syntax differs
rpc_pipe_bind: check_bind_response failed.
cli_nt_session_open: rpc bind to \PIPE\lsarpc failed
rpc: trusted_domains
rpc_dc_name: Returning DC PORT_PDC (172.16.42.102) for domain PORT
IPC$ connections done anonymously
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
Bind NACK received on pipe 801!
cli_nt_session_open: rpc bind to \PIPE\lsarpc failed
Could not open a connection to PORT for \PIPE\lsarpc (NT_STATUS_PIPE_NOT_AVAILABLE)
add_trusted_domain: BUILTIN is an NT4 domain
Added domain BUILTIN S-1-5-32
add_trusted_domain: HUNTER is an NT4 domain
Added domain HUNTER S-1-5-21-1166498158-3287646073-3355909017
rpc: trusted_domains
Could not open a connection to PORT for \PIPE\lsarpc (NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)
Bad, bad, bad.
SrvMgr still shows hunter$ as grayed out "WinNT wks or server".
# wbinfo -u
Error looking up domain users
winbindd log:
[ 2709]: request interface version
[ 2709]: request location of privileged pipe
[ 2709]: list users
rpc_dc_name: Returning DC PORT_PDC (172.16.42.102) for domain PORT
IPC$ connections done anonymously
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
Bind NACK received on pipe 1001!
cli_nt_session_open: rpc bind to \PIPE\samr failed
Could not open a connection to PORT for \PIPE\samr (NT_STATUS_PIPE_NOT_AVAILABLE)
Looks like step 2 'net join -U domadmin%password' does
not succeed despite saying 'Joined domain PORT'.
I think so because I have that security alert on PDC,
and winbindd have troubles. It is easily reproducible -
each net join attemtp produce one securily log message.
I cleaned up everything and reran 'net join' again with -d4.
Result:
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file "/usr/app/samba-3.0.7/var/etc/smb.conf"
Processing section "[global]"
doing parameter workgroup = PORT
doing parameter encrypt passwords = yes
doing parameter security = domain
doing parameter password server = *
doing parameter domain master = no
doing parameter domain logons = no
doing parameter preferred master = No
doing parameter deadtime = 15
doing parameter create mode = 0644
doing parameter force create mode = 0400
doing parameter security mask = 0777
doing parameter directory mode = 755
doing parameter force directory mode = 0111
doing parameter directory security mask = 0777
doing parameter unix charset = koi8r
doing parameter display charset = koi8r
doing parameter dos charset = cp866
doing parameter name resolve order = wins
doing parameter wins server = 172.16.42.102
doing parameter map to guest = Bad User
doing parameter guest account = guest
doing parameter guest ok = Yes
doing parameter null passwords = Yes
doing parameter template homedir = /home/%D+%U
doing parameter template shell = /bin/bash
doing parameter winbind separator = +
doing parameter idmap uid = 10000-20000
doing parameter idmap gid = 10000-20000
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter debuglevel = 3
doing parameter log file = /usr/app/samba-3.0.7/var/log/samba.all
doing parameter max log size = 128
doing parameter debug hires timestamp = yes
doing parameter debug pid = yes
doing parameter debug timestamp = yes
doing parameter syslog = 0
doing parameter syslog only = no
pm_process() returned Yes
added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
Serverzone is -10800
cli_net_req_chal: LSA Request Challenge from HUNTER to PORT_PDC: 18D1F64987D0824F
cred_session_key
cred_create
cli_net_auth2: srv:\\PORT_PDC acct:HUNTER$ sc:2 mc: HUNTER chal DF3EA14045A0A28B neg: 400701ff
cli_nt_setup_creds: auth2 challenge failed NT_STATUS_NO_TRUST_SAM_ACCOUNT
just_change_the_password: unable to setup creds (NT_STATUS_NO_TRUST_SAM_ACCOUNT)!
rpc command function failed! (NT_STATUS_NO_TRUST_SAM_ACCOUNT)
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
lsa_io_sec_qos: length c does not match size 8
cli_net_req_chal: LSA Request Challenge from HUNTER to PORT_PDC: 139AF6FA2C505C3D
cred_session_key
cred_create
cli_net_auth2: srv:\\PORT_PDC acct:HUNTER$ sc:2 mc: HUNTER chal DF3EA14045A0A28B neg: 400701ff
cli_nt_setup_creds: auth2 challenge failed NT_STATUS_NO_TRUST_SAM_ACCOUNT
just_change_the_password: unable to setup creds (NT_STATUS_NO_TRUST_SAM_ACCOUNT)!
rpc command function failed! (NT_STATUS_NO_TRUST_SAM_ACCOUNT)
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
lsa_io_sec_qos: length c does not match size 8
cli_net_req_chal: LSA Request Challenge from HUNTER to PORT_PDC: 139AF6FA2C505C3D
cred_session_key
cred_create
cli_net_auth2: srv:\\PORT_PDC acct:HUNTER$ sc:2 mc: HUNTER chal 51E00263A83FB7B1 neg: 400701ff
cred_create
cred_assert
Connecting to host=PORT_PDC
Connecting to 172.16.42.102 at port 445
error connecting to 172.16.42.102:445 (Connection refused)
Connecting to 172.16.42.102 at port 139
Using cleartext machine password
cli_net_req_chal: LSA Request Challenge from HUNTER to PORT_PDC: 9F65B7A1600B8A71
cred_session_key
cred_create
cli_net_auth2: srv:\\PORT_PDC acct:HUNTER$ sc:2 mc: HUNTER chal A8ABF0D3B9ACCF97 neg: 400701ff
cred_create
cred_assert
return code = 0
Joined domain PORT.
What is "just_change_the_password: unable to setup creds
(NT_STATUS_NO_TRUST_SAM_ACCOUNT)!". Does this log ring a bell to anyone?
P.S. I grepped away timestamps. If you want them, unprocessed
output is below the sig. smb.conf is there too.
--
vda
[2004/09/23 10:50:55, 3] ../param/loadparm.c:lp_load(3897)
lp_load: refreshing parameters
[2004/09/23 10:50:55, 3] ../param/loadparm.c:init_globals(1307)
Initialising global parameters
[2004/09/23 10:50:55, 3] ../param/params.c:pm_process(566)
params.c:pm_process() - Processing configuration file "/usr/app/samba-3.0.7/var/etc/smb.conf"
[2004/09/23 10:50:55, 3] ../param/loadparm.c:do_section(3390)
Processing section "[global]"
doing parameter workgroup = PORT
doing parameter encrypt passwords = yes
doing parameter security = domain
doing parameter password server = *
doing parameter domain master = no
doing parameter domain logons = no
doing parameter preferred master = No
doing parameter deadtime = 15
doing parameter create mode = 0644
doing parameter force create mode = 0400
doing parameter security mask = 0777
doing parameter directory mode = 755
doing parameter force directory mode = 0111
doing parameter directory security mask = 0777
doing parameter unix charset = koi8r
doing parameter display charset = koi8r
doing parameter dos charset = cp866
doing parameter name resolve order = wins
doing parameter wins server = 172.16.42.102
doing parameter map to guest = Bad User
doing parameter guest account = guest
doing parameter guest ok = Yes
doing parameter null passwords = Yes
doing parameter template homedir = /home/%D+%U
doing parameter template shell = /bin/bash
doing parameter winbind separator = +
doing parameter idmap uid = 10000-20000
doing parameter idmap gid = 10000-20000
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter debuglevel = 3
doing parameter log file = /usr/app/samba-3.0.7/var/log/samba.all
doing parameter max log size = 128
doing parameter debug hires timestamp = yes
doing parameter debug pid = yes
doing parameter debug timestamp = yes
doing parameter syslog = 0
doing parameter syslog only = no
[2004/09/23 10:50:59.870334, 4, pid=4882] ../param/loadparm.c:lp_load(3928)
pm_process() returned Yes
[2004/09/23 10:50:59.873546, 2, pid=4882] ../lib/interface.c:add_interface(79)
added interface ip=172.17.30.1 bcast=172.17.255.255 nmask=255.255.0.0
[2004/09/23 10:50:59.889562, 3, pid=4882] ../libsmb/cliconnect.c:cli_start_connection(1376)
Connecting to host=PORT_PDC
[2004/09/23 10:50:59.890412, 3, pid=4882] ../lib/util_sock.c:open_socket_out(752)
Connecting to 172.16.42.102 at port 445
[2004/09/23 10:50:59.904421, 2, pid=4882] ../lib/util_sock.c:open_socket_out(789)
error connecting to 172.16.42.102:445 (Connection refused)
[2004/09/23 10:50:59.905586, 3, pid=4882] ../lib/util_sock.c:open_socket_out(752)
Connecting to 172.16.42.102 at port 139
[2004/09/23 10:50:59.930120, 4, pid=4882] ../lib/time.c:get_serverzone(122)
Serverzone is -10800
[2004/09/23 10:50:59.960046, 4, pid=4882] ../rpc_client/cli_netlogon.c:cli_net_req_chal(45)
cli_net_req_chal: LSA Request Challenge from HUNTER to PORT_PDC: 18D1F64987D0824F
[2004/09/23 10:50:59.968025, 4, pid=4882] ../libsmb/credentials.c:cred_session_key(59)
cred_session_key
[2004/09/23 10:50:59.971904, 4, pid=4882] ../libsmb/credentials.c:cred_create(90)
cred_create
[2004/09/23 10:50:59.972588, 4, pid=4882] ../rpc_client/cli_netlogon.c:cli_net_auth2(108)
cli_net_auth2: srv:\\PORT_PDC acct:HUNTER$ sc:2 mc: HUNTER chal DF3EA14045A0A28B neg: 400701ff
[2004/09/23 10:50:59.979078, 3, pid=4882] ../rpc_client/cli_netlogon.c:cli_nt_setup_creds(290)
cli_nt_setup_creds: auth2 challenge failed NT_STATUS_NO_TRUST_SAM_ACCOUNT
[2004/09/23 10:50:59.981983, 3, pid=4882] ../libsmb/trusts_util.c:just_change_the_password(43)
just_change_the_password: unable to setup creds (NT_STATUS_NO_TRUST_SAM_ACCOUNT)!
[2004/09/23 10:50:59.983907, 1, pid=4882] ../utils/net_rpc.c:run_rpc_command(141)
rpc command function failed! (NT_STATUS_NO_TRUST_SAM_ACCOUNT)
[2004/09/23 10:51:00.001361, 3, pid=4882] ../libsmb/cliconnect.c:cli_start_connection(1376)
Connecting to host=PORT_PDC
[2004/09/23 10:51:00.002167, 3, pid=4882] ../lib/util_sock.c:open_socket_out(752)
Connecting to 172.16.42.102 at port 445
[2004/09/23 10:51:00.017346, 2, pid=4882] ../lib/util_sock.c:open_socket_out(789)
error connecting to 172.16.42.102:445 (Connection refused)
[2004/09/23 10:51:00.018366, 3, pid=4882] ../lib/util_sock.c:open_socket_out(752)
Connecting to 172.16.42.102 at port 139
[2004/09/23 10:51:00.066174, 3, pid=4882] ../rpc_parse/parse_lsa.c:lsa_io_sec_qos(181)
lsa_io_sec_qos: length c does not match size 8
[2004/09/23 10:51:00.162712, 4, pid=4882] ../rpc_client/cli_netlogon.c:cli_net_req_chal(45)
cli_net_req_chal: LSA Request Challenge from HUNTER to PORT_PDC: 139AF6FA2C505C3D
[2004/09/23 10:51:00.169870, 4, pid=4882] ../libsmb/credentials.c:cred_session_key(59)
cred_session_key
[2004/09/23 10:51:00.173714, 4, pid=4882] ../libsmb/credentials.c:cred_create(90)
cred_create
[2004/09/23 10:51:00.174491, 4, pid=4882] ../rpc_client/cli_netlogon.c:cli_net_auth2(108)
cli_net_auth2: srv:\\PORT_PDC acct:HUNTER$ sc:2 mc: HUNTER chal 51E00263A83FB7B1 neg: 400701ff
[2004/09/23 10:51:00.183109, 4, pid=4882] ../libsmb/credentials.c:cred_create(90)
cred_create
[2004/09/23 10:51:00.183673, 4, pid=4882] ../libsmb/credentials.c:cred_assert(121)
cred_assert
[2004/09/23 10:51:00.198900, 3, pid=4882] ../libsmb/cliconnect.c:cli_start_connection(1376)
Connecting to host=PORT_PDC
[2004/09/23 10:51:00.199740, 3, pid=4882] ../lib/util_sock.c:open_socket_out(752)
Connecting to 172.16.42.102 at port 445
[2004/09/23 10:51:00.214740, 2, pid=4882] ../lib/util_sock.c:open_socket_out(789)
error connecting to 172.16.42.102:445 (Connection refused)
[2004/09/23 10:51:00.215746, 3, pid=4882] ../lib/util_sock.c:open_socket_out(752)
Connecting to 172.16.42.102 at port 139
[2004/09/23 10:51:00.250525, 4, pid=4882] ../passdb/secrets.c:secrets_fetch_trust_account_password
(290)
Using cleartext machine password
[2004/09/23 10:51:00.251841, 4, pid=4882] ../rpc_client/cli_netlogon.c:cli_net_req_chal(45)
cli_net_req_chal: LSA Request Challenge from HUNTER to PORT_PDC: 9F65B7A1600B8A71
[2004/09/23 10:51:00.259052, 4, pid=4882] ../libsmb/credentials.c:cred_session_key(59)
cred_session_key
[2004/09/23 10:51:00.262893, 4, pid=4882] ../libsmb/credentials.c:cred_create(90)
cred_create
[2004/09/23 10:51:00.263567, 4, pid=4882] ../rpc_client/cli_netlogon.c:cli_net_auth2(108)
cli_net_auth2: srv:\\PORT_PDC acct:HUNTER$ sc:2 mc: HUNTER chal A8ABF0D3B9ACCF97 neg: 400701ff
[2004/09/23 10:51:00.272196, 4, pid=4882] ../libsmb/credentials.c:cred_create(90)
cred_create
[2004/09/23 10:51:00.272756, 4, pid=4882] ../libsmb/credentials.c:cred_assert(121)
cred_assert
[2004/09/23 10:51:00.283991, 2, pid=4882] ../utils/net.c:main(792)
return code = 0
Joined domain PORT.
smb.conf:
=========
# %U session username (the username that the client
# wanted, not necessarily the same as the one they
# got).
# %G primary group name of %U.
# %h the Internet hostname that Samba is running on.
# %m the NetBIOS name of the client machine (very use-
# ful).
# %L the NetBIOS name of the server. This allows you to
# change your config based on what the client calls
# you. Your server can have a ``dual personality''.
# %M the Internet name of the client machine.
# %R the selected protocol level after protocol negotia-
# tion. It can be one of CORE, COREPLUS, LANMAN1,
# LANMAN2 or NT1.
# %d The process id of the current server process.
# %a the architecture of the remote machine. Only some
# are recognized, and those may not be 100% reliable.
# It currently recognizes Samba, Windows for Work-
# groups, Windows 95, Windows NT and Windows 2000.
# Anything else will be known as ``UNKNOWN''. If it
# gets it wrong sending a level 3 log to
# samba at samba.org should allow it to be fixed.
# %I The IP address of the client machine.
# %T the current date and time.
# %D Name of the domain or workgroup of the current
# user.
# %$(envvar)
# The value of the environment variable envar.
#
# The following substitutes apply only to some configuration
# options (only those that are used when a connection has
# been established):
#
# %S the name of the current service, if any.
# %P the root directory of the current service, if any.
# %u username of the current service, if any.
# %g primary group name of %u.
# %H the home directory of the user given by %u.
# %N the name of your NIS home directory server. This is
# obtained from your NIS auto.map entry. If you have
# not compiled Samba with the --with-automount
# option, this value will be the same as %L.
# %p the path of the service's home directory, obtained
# from your NIS auto.map entry. The NIS auto.map
# entry is split up as ``%N:%p''.
# Global parameters
[global]
;;;;;;; Machine type (standalone/domain member/etc)
;;;;;;; Pick one type of config below
;# Authenticate users using given WinNT box
;# - VDA: ok
; workgroup = PORT
; encrypt passwords = yes
; security = server
; password server = PORT_PDC
; domain master = no
# Authenticate users using given WinNT domain
# - VDA: ok, but you'll need to create UNIX users for each connecting Win one
# (same username as found on PDC)
# Update: [2001/12/07] can't make it accept domain users
# when winbindd is running even if local user exists in /etc/passwd
workgroup = PORT
encrypt passwords = yes
security = domain
password server = *
domain master = no
# domain logons = yes: provides the NETLOGON service
# which only PDC and BDC shall provide.
# This is a NO-GO for domain member machine. Set to NO.
domain logons = no
;# Authenticate users using local Samba
;# (we are part of a workgroup)
;# - VDA: ok.
;# Set passwords for users via smbpasswd!
; workgroup = LINUX
; os level = 33
; security = share
; domain logons = no
;# We are PDC for our domain (domain name set by 'workgroup')
;# Have to have [netlogon]
;# TODO: check:maybe we need [profiles] too?
; workgroup = PORT2
; os level = 34
; security = user
; domain logons = yes
; domain master = yes # affects browser elections
; ;# To be executed each time user logs in. Stored in [netlogon]
; ;logon script = %u.bat
; # Home dir and drive to map it to
; # (%L: our server netbios name, %u: final user name)
; logon home = \\%L\%u\home\%u
; logon drive = w:
; # Profiles dir for roaming profiles
; logon path = \\%L\%u\home\%u\profiles
;;;;;;; Browsing
# force reelection on nmbd startup
# use with caution, because if there are several such hosts... ouch...
preferred master = No
;;;;;;; Connections
# connection timeout, minutes
deadtime = 15
;;;;;;; File management
# create mode = (((user_specified) AND cr_mode) OR force_mode)
create mode = 0644
force create mode = 0400
# 0's disallow chmodding of corresponding bits
security mask = 0777
# same for dirs
directory mode = 755
force directory mode = 0111
directory security mask = 0777
#
unix charset = koi8r
display charset = koi8r
dos charset = cp866
;;;;;;; Name resolution
name resolve order = wins
wins server = 172.16.42.102
;;;;;;; User management
map to guest = Bad User
guest account = guest
guest ok = Yes
null passwords = Yes
template homedir = /home/%D+%U
template shell = /bin/bash
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes
;;;;;;; Logging
# Higher numbers = more logging
# Example: debuglevel = 3 passdb:5 auth:10 winbind:2
# (all tdb printdrivers lanman smb rpc_parse rpc_srv rpc_cli passdb sam auth winbind vfs idmap)
debuglevel = 3
#log file = /usr/app/samba-3.0.7/var/log/samba.%m
log file = /usr/app/samba-3.0.7/var/log/samba.all
# in kb. Will rename to *.old when exceeded
max log size = 128
debug hires timestamp = yes
debug pid = yes
debug timestamp = yes
#debug uid = yes
# Do not log to syslog if message's level is greater than...
syslog = 0
# Do not log into files, syslog only?
syslog only = no
;;;;;;; Shares
;default service = user
;[user]
; path = /
; username = %S
; read only = No
; guest ok = No
; only user = Yes
; browseable = Yes
[pub]
path = /pub
guest only = Yes
;[in]
; path = /pub/in
; read only = No
; guest only = Yes
[homes]
path = /
;*;username = %S
read only = No
guest ok = No
only user = Yes
# we don't actually want users to see //me/homes ;)
browseable = No
;[netlogon]
; path = /usr/app/samba-3.0.7/var/netlogon
; guest ok = No
; browseable = No
;[profiles]
; path = /usr/app/samba-3.0.7/var/profiles
; browseable = No
More information about the samba
mailing list