[Samba] Workstaion trust account

sermodi sermodi at gmail.com
Fri Jan 26 14:12:20 GMT 2007 

Hi!
I did a new vampire on the NT4 and gott the accounts, I get an error saying
"Could not find unix group 513" even though I have that group after running
smbldap-populate prior to vampire. This does'nt seem to effect the creation
of machine account because the machine account are there when I do a search.
The problem now seems to be that the credential challenge is failing. The
error log in samba says
The part where I think it fails:

[2007/01/26 14:21:00, 10] passdb/pdb_get_set.c:pdb_set_user_sid(544)
  pdb_set_user_sid: setting user sid
S-1-5-21-1776119392-1335896148-119103078-1812
[2007/01/26 14:21:00, 10] passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73)
  pdb_set_user_sid_from_rid:
        setting user sid S-1-5-21-1776119392-1335896148-119103078-1812 from
rid 1812
[2007/01/26 14:21:00, 10] passdb/pdb_get_set.c:pdb_set_group_sid(580)
  pdb_set_group_sid: setting group sid
S-1-5-21-1776119392-1335896148-119103078-513
[2007/01/26 14:21:00, 10]
passdb/pdb_compat.c:pdb_set_group_sid_from_rid(100)
  pdb_set_group_sid_from_rid:
        setting group sid S-1-5-21-1776119392-1335896148-119103078-513 from
rid 513
[2007/01/26 14:21:00, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (1001, 513) - sec_ctx_stack_ndx = 0
[2007/01/26 14:21:00, 5] lib/util.c:dump_data(2053)
  [000] CB 97 46 42 57 0F 6D F6  24 BB F0 C9 64 AC EE A1  ..FBW.m. $...d...
[2007/01/26 14:21:00, 4] libsmb/credentials.c:cred_session_key(59)
  cred_session_key
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_session_key(61)
        clnt_chal: 70AC8820288ECF8D
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_session_key(62)
        srv_chal : 3CB84822EABF4CD9
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_session_key(63)
        clnt+srv : AC64D142124E1C67
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_session_key(64)
        sess_key : 52D509DB5E8010B2
[2007/01/26 14:21:00, 4] libsmb/credentials.c:cred_create(90)
  cred_create
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(92)
        sess_key : 52D509DB5E8010B2
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(93)
        stor_cred: 70AC8820288ECF8D
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(94)
        timestamp: 0
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(95)
        timecred : 70AC8820288ECF8D
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(96)
        calc_cred: 4C5A39005039ED3F
[2007/01/26 14:21:00, 4] libsmb/credentials.c:cred_assert(121)
  cred_assert
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_assert(123)
        challenge : B6348D471E1F0113
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_assert(124)
        calculated: 4C5A39005039ED3F
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_assert(133)
  credentials check wrong

Any Idea?
Thanks!
/Sermodi


2007/1/24, Andrew Bartlett <abartlet at samba.org>:
>
> On Wed, 2007-01-24 at 17:09 +0100, sermodi wrote:
> > Andrew Bartlett skrev:
> > > On Tue, 2007-01-23 at 17:50 +0000, Cardon Denis wrote:
> > >
> > >> Hi sermodi,
> > >>
> > >>> I'm having a problem adding a W2K workstaion to the domain
> samba+ldap.
> > >>> I can
> > >>> add it by logging with the local administartor then add to domain,
> but I
> > >>> would like to do it without doing it manually on every workstation.
> Have
> > >>> hundrads of workstations, I tried to add them by using smbldap
> scripts
> > >>> and I
> > >>> get an entry for the workstation but it still don't work. Is it even
> > >>> possible to only add a trust account on the PDC or do I have to do
> it
> > >>> from
> > >>> the windows client?
> > >>>
> > >> adding a workstation throught the windows "join a domain" gui does
> some
> > >> configuration change on the host computer. Modifying is not enough,
> in
> > >> any case you'll have to do a few thing on the windows box. However
> there
> > >> a few command line tools available from MS for joining a domain, so
> you
> > >> can write a small script to add the boxes.
> > >>
> > >
> > > There is an RPC to do this (wkssvc_NetrJoinDomain2), but we never
> spent
> > > enough time to figure out the crypto.  The 524 byte password buffer
> > > looks like one of the existing uses of this kind of buffer (like
> SAMR),
> > > but that didn't apparently work.
> > >
> > > Andrew Bartlett
> > >
> > >
> > Thanks for the reply.
> > About the client modification, on an existing (by existing I mean a
> > workstaion that have been trusted previously on another PDC, a NT4) the
> > client has already a password configured to the domain, the domain name
> > is the same and a net vampire have been done on the NT4. So what is the
> > different between the challenge made to NT4 and the one made to to the
> > new samba PDC?
>
> The whole purpose of the vampire process is that you should not have to
> rejoin machines.  If you are forced to rejoin a machine when vampiring
> NT4, then it's a bug.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Red Hat Inc.                  http://redhat.com
>
>
>

More information about the samba mailing list