[Samba] [3.2.0pre1] net ads join fails with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

[Sven Schnelle]

Hi List,

i'm trying to join a Windows 2000 SP4 Domain (Native mode). I'm getting
the following error while joining:

# net ads join -U 'Administrator%password'
Using short domain name -- W2K
Could not connect to server dc.w2k.bitebene.org
Connection failed: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
Failed to verify membership in domain: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT!
Failed to join domain: No logon workstation trust account

my smb.conf:

[global]
realm = W2K.BITEBENE.ORG
netbios name = asg
security = ADS
idmap uid = 15000-20000
idmap gid = 15000-20000
winbind separator = +
winbind use default domain = yes
private dir = /etc/samba/private
use kerberos keytab = yes
client use spnego = yes
workgroup = W2K

(i'm only using winbindd)

The NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT above is probably
because we're using Machine Account credentials, but the Windows 2000
(With default security policy) denies logon with it.

In older Version net_rpc_join_ok used anonymous access, which won't work
on newer Windows Versions. (On this W2K it works).

So the only option left is using the supplied credentials during joining
- which works in all my cases (Win2003 SP2 / Win2000 SP4).

So i've changed the code back to the old one, but without anonymous flag:


Index: source/utils/net_rpc_join.c
===================================================================
RCS file: /home/cvs/sources/s/samba-3.2.0pre1/source/utils/net_rpc_join.c,v
retrieving revision 1.1.1.1
diff -w -u -u -r1.1.1.1 net_rpc_join.c
--- source/utils/net_rpc_join.c 16 Nov 2007 13:25:26 -0000      1.1.1.1
+++ source/utils/net_rpc_join.c 1 Dec 2007 20:38:16 -0000
@@ -44,28 +44,14 @@
                         struct in_addr *ip)
 {
        enum security_types sec;
-       unsigned int conn_flags = NET_FLAGS_PDC;
        uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
        struct cli_state *cli = NULL;
        struct rpc_pipe_client *pipe_hnd = NULL;
        struct rpc_pipe_client *netlogon_pipe = NULL;
        NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL;
 
-       sec = (enum security_types)lp_security();
-
-       if (sec == SEC_ADS) {
-               /* Connect to IPC$ using machine account's credentials. We don't use anonymous
-                  connection here, as it may be denied by server's local policy. */
-               net_use_machine_account();
-
-       } else {
-               /* some servers (e.g. WinNT) don't accept machine-authenticated
-                  smb connections */
-               conn_flags |= NET_FLAGS_ANONYMOUS;
-       }
-
        /* Connect to remote machine */
-       ntret = net_make_ipc_connection_ex(domain, server, ip, conn_flags, &cli);
+       ntret = net_make_ipc_connection_ex(domain, server, ip, NET_FLAGS_PDC, &cli);
        if (!NT_STATUS_IS_OK(ntret)) {
                return ntret;
        }


As i'm not a samba expert, i don't know if this needs more changes, or
if there are some othere solutions.  Any thoughts?

Cheers,

Sven.

PS: please CC me on replies, as i have subscriped to the list a few
minutes ago, and don't know how long it takes until the subscribtion is
active after replying to the subscribtion confirmation.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20071201/26bec89d/attachment.bin