[Samba] Problems adding Win clients to domain [SOLVED]

Lars-Gunnar Persson lars-gunnar.persson at nersc.no
Wed Aug 23 13:12:36 GMT 2006 

I found the reason for this strange Samba behaviour:

The line "admin users = " in the smb.conf file was missing. I don't  
know how but that was the reason.

A bit embarrassing but at least I'm breathing now.

Regards,

Lars-Gunnar Persson

On 23. aug. 2006, at 12.57, Lars-Gunnar Persson wrote:

> I'm not able to add Win clients to my domain anymore. I receive an  
> error on the PC (2000 or XP):
>
> "The following error occurred attempting to join the domain  
> "[DOMAIN]":
> Logon failure: unknown user name or password."
>
> But I am able to log on to the server when accessing shares and  
> printers. This error message only appears when joining the domain.
>
> And on the Mac OS X 10.4.7 (Samba 3.0.10) server I get the  
> following in my log.smbd:
>
> [2006/08/22 11:32:03, 2] /SourceCache/samba/samba-92.20/samba/ 
> source/auth/auth.c:check_ntlm_password(360)
>   check_ntlm_password:  authentication for user [tmpadmin] ->  
> [tmpadmin] -> [tmpadmin] succeeded
> [2006/08/22 11:32:03, 2] /SourceCache/samba/samba-92.20/samba/ 
> source/lib/module.c:do_smb_load_module(63)
>   Module '/usr/lib/samba/vfs/darwin_acls.so' loaded
> [2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/ 
> source/rpc_server/srv_samr_nt.c:_samr_lookup_domain(2531)
>   Returning domain sid for domain [DOMAIN] ->  
> S-1-5-21-457614760-3765950544-3595693477
> [2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/ 
> source/rpc_server/srv_samr_nt.c:access_check_samr_object(93)
>   _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)
> [2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/ 
> source/rpc_server/srv_samr_nt.c:_samr_lookup_domain(2531)
>   Returning domain sid for domain [DOMAIN]  ->  
> S-1-5-21-457614760-3765950544-3595693477
> [2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/ 
> source/rpc_server/srv_samr_nt.c:access_check_samr_object(93)
>   _samr_open_user: ACCESS DENIED  (requested: 0x000000b0)
> [2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/ 
> source/rpc_server/srv_samr_nt.c:access_check_samr_object(93)
>   _samr_open_user: ACCESS DENIED  (requested: 0x00000090)
> [2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/ 
> source/smbd/server.c:exit_server(595)
>   Closing connections
>
> where DOMAIN is my domain name and tmpadmin is a user account with  
> all privileges.
>
> I've been googling (oops, I'm not sure I can say that :-)) and  
> reading all the documentation I could find, but without any luck.
>
> What's strange is that when the server was installed I was able to  
> add a lot of clients. Then I've probably done something wrong and  
> now I'm getting into trouble. So, what have I been doing?
>
> Editing /etc/smb.conf
>    * Adding the line:  logon home = \\[FILESERVER]\%U
>    * Removing the line: #logon path = \\%N\profiles\%u
>
> Adding a group mapping with the command net
>    net groupmap add ntgroup="Domain Admins" unixgroup="admin"  
> type=domain
>    net groupmap cleanup
> but also reverted back to default group mappings.
>
> Reconfigured the Windows service by removing /var/samba and /etc/ 
> smb.conf. Didn't help.
>
> Editing /etc/openldap/slapd.conf:
>   * Adding a schema from ldapuserdata ( a Squirrelmail plug-in) but  
> has removed this schema now.
>
> Are there other services/configuration files I have to look at?
>
> Do you have ANY tips? This is starting to get urgent for me now!
>
> I've now tried a couple of other things without success:
>
> I run this command to try to add the server which is the PDC to the  
> domain:
>
>    net rpc join -S [SERVER] -Uroot%[password]
>
> Today that command gave me the following output:
>
> [2006/08/23 09:23:07, 0] /SourceCache/samba/samba-92.9/samba/source/ 
> utils/net_rpc_join.c:net_rpc_join_newstyle(279)
>   error setting trust account password: NT_STATUS_ACCESS_DENIED
> Unable to join domain [DOMAIN].
>
> Yesterday I got a bit more interesting error message including
>
> decode_pw_buffer: incorrect password length (945999123).
>
> After searching the web I found two references regarding mac is x  
> server and samba about this:
>
> At AFP548:
> http://www.afp548.com/forum/viewtopic.php?showtopic=11873
>
> There were a couple of suggestions:
>
> 1. Change the server from PDC to Single Server and back again. In a  
> way I've tried that by removing the /etc/smb.conf and /var/samba.
>
> 2. Set the password of the directory administrator a couple of  
> times and then it should work. Tried that but it didn't work for me.
>
> At this mailing list in August 2005:
>
> 3. A tip from Michael Bartosh: /usr/bin/opendirectorypdbconfig -c  
> set_authenticator -r admin-name -p  xxxxx -n /LDAPv3/127.0.0.1
>    Tried it, but didn't work.
>
> At the moment I believe it may be the file
>
>     /var/db/samba/secrets.tdb
>
> since I didn't delete it when I reconfigured Samba. I was also  
> surprised that the SID of the Samba domain didn't change when I  
> reconfigured Samba.
>
> My question is then: Is it safe to rename this file and and then  
> start Samba again? Or will the domain loose it SID and I have to  
> add all the Win clients again? But if I run the command:
>
>    sudo net getlocalsid [DOMAIN]
>
> before the renaming and then run the command:
>
>    net setlocalsid SID
>
> after. Will this procedure do it?
>
> Regards,
>
> Lars-Gunnar Persson
>
>
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Lars-Gunnar Persson

Nansen Environmental and Remote Sensing Center
Thormøhlensgt. 47, N-5006 BERGEN, NORWAY

Phone  : + 47 55 20 58 31, Fax: + 47 55 20 58 01
Mobile : + 47 932 23 560, E-mail : lars-gunnar.persson at nersc.no

More information about the samba mailing list