[Samba] joining samba 3.0.25b on aix to a native w2k domain

Jeroen Kleijer jeroen.kleijer at xs4all.nl
Sat Jul 7 22:09:01 GMT 2007


Hi,

I've compiled Samba 3.0.25b on an AIX 5.2 machine without any hassle
(also without ADS / Kerberos Support!) but getting it to join our AD
domain is a true PITA.

The AIX machine is called NLXDRZ05, the domain D-REIZEN.INTRA (could
also be D-REIZEN, I'm a Unix guy, not an NT guy and I usually leave that 
stuff to the people that know what they're doing)

I've had a machine account created in the domain, had a user account
created with which I can join the machine to the domain (user smbinst)
after some initial trouble I was able to join the machine to the domain.

The very next day however, it seemed to have lost its trust relationship
and I tried to do the same steps as I did the day before but somehow
this won't work and I can't join the domain any more. I've had the
computer account deleted and recreated but this didn't help.

My smb.conf file looks like this.

#
# $Id: smb.conf,v 1.9 2005/10/31 14:30:25 nl10638 Exp $
#

[global]
##      workgroup = D-REIZEN.INTRA ## (I switch between D-REIZEN and
D-REIZEN.INTRA for testing purposes)
        workgroup = D-REIZEN
        netbios name = NLXDRZ05
        server string = nlxdrz05 - Atos Origin +31(0)40-2785088
        security = DOMAIN
        encrypt passwords = Yes
        password server = 10.100.2.104 10.100.2.105
##      log file = /appl/samba/config/log.smbd
        log level = 2
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        max log size = 500
        username map = /appl/samba/config/username.map
        client use spnego = Yes
##      client schannel = No

(I've tried using the domains / workgroups D-REIZEN.INTRA (which I could
initially join succesfully to but it stated "Succesfully joined the
D-REIZEN domain!") and the plain D-REIZEN domain but to no avail)

Trying to make it join the D-REIZEN.INTRA domain again results in the
following messages: (I'm not quite sure what the NT_STATUS_ACCESS_DENIED
means but I'm not too fond of it)

root at nlxdrz05:/appl/samba/src/samba-3.0.25b/source
/appl/samba/cur/bin/net rpc join -U smbinst MEMBER -w D-REIZEN.INTRA  -I NLXDRZ05 -S 10.100.2.104 -d 3
[2007/07/06 18:24:45, 3] param/loadparm.c:lp_load(5024)
  lp_load: refreshing parameters
[2007/07/06 18:24:45, 3] param/loadparm.c:init_globals(1424)
  Initialising global parameters
[2007/07/06 18:24:45, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file "/appl/samba/config/smb.conf"
[2007/07/06 18:24:45, 3] param/loadparm.c:do_section(3763)
  Processing section "[global]"
[2007/07/06 18:24:45, 2] lib/interface.c:add_interface(81)
  added interface ip=10.100.2.44 bcast=10.100.2.255 nmask=255.255.255.0
[2007/07/06 18:24:45, 2] lib/interface.c:add_interface(81)
  added interface ip=10.192.20.227 bcast=10.192.20.255 nmask=255.255.255.192
[2007/07/06 18:24:45, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.1.18 bcast=192.168.1.255 nmask=255.255.255.0
[2007/07/06 18:24:45, 3] libsmb/cliconnect.c:cli_start_connection(1505)
  Connecting to host=10.100.2.104
[2007/07/06 18:24:45, 3] lib/util_sock.c:open_socket_out(874)
  Connecting to 10.100.2.44 at port 445
[2007/07/06 18:24:46, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine 10.100.2.104 pipe \lsarpc fnum 0x77d0 bind request returned ok.
W[2007/07/06 18:24:46, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine 10.100.2.104 pipe \NETLOGON fnum 0x77d1 bind request returned ok.
[2007/07/06 18:24:46, 3] libsmb/trusts_util.c:just_change_the_password(57)
  just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
[2007/07/06 18:24:46, 1] utils/net_rpc.c:run_rpc_command(170)
  rpc command function failed! (NT_STATUS_ACCESS_DENIED)
Password: <manually entering the password>
[2007/07/06 18:24:48, 3] libsmb/cliconnect.c:cli_start_connection(1505)
  Connecting to host=10.100.2.104
[2007/07/06 18:24:48, 3] lib/util_sock.c:open_socket_out(874)
  Connecting to 10.100.2.44 at port 445
[2007/07/06 18:24:48, 3] libsmb/cliconnect.c:cli_session_setup_spnego(789)
  Doing spnego session setup (blob length=58)
[2007/07/06 18:24:48, 3] libsmb/cliconnect.c:cli_session_setup_spnego(814)
  got OID=1 3 6 1 4 1 311 2 2 10
[2007/07/06 18:24:48, 3] libsmb/cliconnect.c:cli_session_setup_spnego(822)
  got principal=NONE
[2007/07/06 18:24:49, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1018)
  Got challenge flags:
[2007/07/06 18:24:49, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60898215
[2007/07/06 18:24:49, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1040)
  NTLMSSP: Set final flags:
[2007/07/06 18:24:49, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60088215
[2007/07/06 18:24:49, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2007/07/06 18:24:49, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60088215
[2007/07/06 18:24:59, 0] libsmb/clientgen.c:cli_receive_smb(112)
  Receiving SMB: Server stopped responding
[2007/07/06 18:24:59, 3] libsmb/cliconnect.c:cli_session_setup(957)
  SPNEGO login failed: NT_STATUS_IO_TIMEOUT
[2007/07/06 18:24:59, 1] libsmb/cliconnect.c:cli_full_connection(1605)
  failed session setup with NT_STATUS_IO_TIMEOUT
Could not connect to server 10.100.2.104
Connection failed: NT_STATUS_IO_TIMEOUT
[2007/07/06 18:24:59, 2] utils/net.c:main(1032)
  return code = 1


It waits for a couple of seconds, gets a timeout and exits with exit
status 1 not joined to the domain.


If, however, I try to get it to join it to the D-REIZEN domain (instead
of D-REIZEN.INTRA) I don't get the timeout but I immediately get thrown
out with a NT_STATUS_TRUSTED_RELATION_SHIP_FAILURE. (and again, just
prior to enter my password I get the NT_STATUS_ACCESS_DENIED)

root at nlxdrz05:/appl/samba/src/samba-3.0.25b/source
/appl/samba/cur/bin/net rpc join -U smbinst MEMBER -w D-REIZEN -I NLXDRZ05
[2007/07/06 18:32:54, 3] param/loadparm.c:lp_load(5024)
  lp_load: refreshing parameters
[2007/07/06 18:32:54, 3] param/loadparm.c:init_globals(1424)
  Initialising global parameters
[2007/07/06 18:32:54, 3] param/params.c:pm_process(572)
  params.c:pm_process() - Processing configuration file "/appl/samba/config/smb.conf"
[2007/07/06 18:32:54, 3] param/loadparm.c:do_section(3763)
  Processing section "[global]"
[2007/07/06 18:32:54, 2] lib/interface.c:add_interface(81)
  added interface ip=10.192.20.227 bcast=10.192.20.255 nmask=255.255.255.192
[2007/07/06 18:32:54, 2] lib/interface.c:add_interface(81)
  added interface ip=192.168.1.18 bcast=192.168.1.255 nmask=255.255.255.0
[2007/07/06 18:32:54, 3] libsmb/cliconnect.c:cli_start_connection(1505)
  Connecting to host=10.100.2.104
[2007/07/06 18:32:54, 3] lib/util_sock.c:open_socket_out(874)
  Connecting to 10.100.2.44 at port 445
[2007/07/06 18:32:54, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine 10.100.2.104 pipe \lsarpc fnum 0x706a bind request returned ok.
[2007/07/06 18:32:54, 3] rpc_client/cli_pipe.c:rpc_pipe_bind(2081)
  rpc_pipe_bind: Remote machine 10.100.2.104 pipe \NETLOGON fnum 0x706b bind request returned ok.
[2007/07/06 18:32:54, 3] libsmb/trusts_util.c:just_change_the_password(57)
  just_change_the_password: unable to setup creds (NT_STATUS_ACCESS_DENIED)!
[2007/07/06 18:32:54, 1] utils/net_rpc.c:run_rpc_command(170)
  rpc command function failed! (NT_STATUS_ACCESS_DENIED)
Password:
[2007/07/06 18:32:57, 3] libsmb/cliconnect.c:cli_start_connection(1505)
  Connecting to host=10.100.2.104
[2007/07/06 18:32:57, 3] lib/util_sock.c:open_socket_out(874)
  Connecting to 10.100.2.44 at port 445
[2007/07/06 18:32:57, 3] libsmb/cliconnect.c:cli_session_setup_spnego(789)
  Doing spnego session setup (blob length=58)
[2007/07/06 18:32:57, 3] libsmb/cliconnect.c:cli_session_setup_spnego(814)
  got OID=1 3 6 1 4 1 311 2 2 10
[2007/07/06 18:32:57, 3] libsmb/cliconnect.c:cli_session_setup_spnego(822)
  got principal=NONE
[2007/07/06 18:32:57, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1018)
  Got challenge flags:
[2007/07/06 18:32:57, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60898215
[2007/07/06 18:32:57, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(1040)
  NTLMSSP: Set final flags:
[2007/07/06 18:32:57, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60088215
[2007/07/06 18:32:57, 3] libsmb/ntlmssp_sign.c:ntlmssp_sign_init(338)
  NTLMSSP Sign/Seal - Initialising with flags:
[2007/07/06 18:32:57, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
  Got NTLMSSP neg_flags=0x60088215
[2007/07/06 18:32:57, 3] libsmb/cliconnect.c:cli_session_setup(957)
  SPNEGO login failed: Trust relationship failure
[2007/07/06 18:32:57, 1] libsmb/cliconnect.c:cli_full_connection(1605)
  failed session setup with NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
Could not connect to server 10.100.2.104
Connection failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2007/07/06 18:32:57, 2] utils/net.c:main(1032)
  return code = 1

Does this look familiar to any one?

Regards,

Jeroen Kleijer



More information about the samba mailing list