R: [Samba] AD domain membership problem

Gianluca Culot gianlucaculot at dmsware.com
Tue Jul 10 07:23:54 GMT 2007 

 

> -----Messaggio originale-----
> Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org 
> [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.or
> g] Per conto di Stephen Roylance
> Inviato: domenica 8 luglio 2007 0.09
> A: samba at lists.samba.org
> Oggetto: [Samba] AD domain membership problem
> 
> Hello, and thanks in advance for any assistance.
> I have a linux machine that I'm trying to join to a windows 
> 2003 sp1 active directory.  The specifics are:
> RHEL5, samba version samba-3.0.23c-2.el5.2.0.2 a firewall 
> between this server and the rest of the world (which includes 
> the DCs), ports are open for kerberos and CIFS inbound and 
> kerberos, CIFS, NTP and UDP oubtound.
> this machine (server.sub.domain.org) is in a subdomain of the 
> AD domain
> (domain.org)
> 
> I am able to run net ads join -U me createcomputer="/myOU/" 
> and it seems to succeed.  net ads testjoin, net ads info, etc 
> all seem to work correctly.  When I try to connect remotely 
> or use smbclient locally with -U me -W domain.org it fails 
> with "session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE"
> and I see errors like:
> [2007/07/07 17:50:54, 0]
> rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2673)
>   cli_rpc_pipe_open_schannel: failed to get schannel session 
> key from server DC1.DOMAIN.ORG for domain DOMAIN.
> [2007/07/07 17:50:54, 0]
> auth/auth_domain.c:connect_to_domain_password_server(112)
>   connect_to_domain_password_server: unable to open the 
> domain client session to machine DC1.DOMAIN.ORG. Error was : 
> NT_STATUS_ACCESS_DENIED.
> [2007/07/07 17:50:54, 0] 
> auth/auth_domain.c:domain_client_validate(206)
>   domain_client_validate: Domain password server not available.
> 
> running net ads changetrustpw hangs and never returns.
> I've tried dropping and re-joining the machine to the domain 
> many times, every now and then it fails, but usually 
> succeeds, but still does not allow connections using domain 
> credentials.
> 
> Any suggestions appreciated
> -Steve
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 

Hello Steve

I've reported similar problems to the list but never got an hint.
I've solved a much similar issue making
Samb Server a Wins Server and forcing it to solve hostnames against DNS
Of course the server is equiped with a dns server too ;)

Here is an excerpt of my configuration file
#smb.conf
[global]
        workgroup = DMSWARE
        Wins support = yes
        dns proxy = yes
        #name resolve order = host wins bcast
        name resolve order = wins lmhosts hosts bcast
        local master = yes
        #domain master = yes
        domain master = no
        preferred master = auto
        enhanced browsing = yes
        #encrypt password = yes         # YES = Default

Be aware this doesn't solve all the issues with a firewall
Net rpc testjoin only works if you specify -S <servername> attribute.

Looks like Samba falls on BCAST with some commands, ignoring every over name
solving mechanism

Hope this helps
Gianluca

More information about the samba mailing list