R: [Samba] AD domain membership problem
Gianluca Culot
gianlucaculot at dmsware.com
Tue Jul 10 07:23:54 GMT 2007
> -----Messaggio originale-----
> Da: samba-bounces+gianlucaculot=dmsware.com at lists.samba.org
> [mailto:samba-bounces+gianlucaculot=dmsware.com at lists.samba.or
> g] Per conto di Stephen Roylance
> Inviato: domenica 8 luglio 2007 0.09
> A: samba at lists.samba.org
> Oggetto: [Samba] AD domain membership problem
>
> Hello, and thanks in advance for any assistance.
> I have a linux machine that I'm trying to join to a windows
> 2003 sp1 active directory. The specifics are:
> RHEL5, samba version samba-3.0.23c-2.el5.2.0.2 a firewall
> between this server and the rest of the world (which includes
> the DCs), ports are open for kerberos and CIFS inbound and
> kerberos, CIFS, NTP and UDP oubtound.
> this machine (server.sub.domain.org) is in a subdomain of the
> AD domain
> (domain.org)
>
> I am able to run net ads join -U me createcomputer="/myOU/"
> and it seems to succeed. net ads testjoin, net ads info, etc
> all seem to work correctly. When I try to connect remotely
> or use smbclient locally with -U me -W domain.org it fails
> with "session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE"
> and I see errors like:
> [2007/07/07 17:50:54, 0]
> rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2673)
> cli_rpc_pipe_open_schannel: failed to get schannel session
> key from server DC1.DOMAIN.ORG for domain DOMAIN.
> [2007/07/07 17:50:54, 0]
> auth/auth_domain.c:connect_to_domain_password_server(112)
> connect_to_domain_password_server: unable to open the
> domain client session to machine DC1.DOMAIN.ORG. Error was :
> NT_STATUS_ACCESS_DENIED.
> [2007/07/07 17:50:54, 0]
> auth/auth_domain.c:domain_client_validate(206)
> domain_client_validate: Domain password server not available.
>
> running net ads changetrustpw hangs and never returns.
> I've tried dropping and re-joining the machine to the domain
> many times, every now and then it fails, but usually
> succeeds, but still does not allow connections using domain
> credentials.
>
> Any suggestions appreciated
> -Steve
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
Hello Steve
I've reported similar problems to the list but never got an hint.
I've solved a much similar issue making
Samb Server a Wins Server and forcing it to solve hostnames against DNS
Of course the server is equiped with a dns server too ;)
Here is an excerpt of my configuration file
#smb.conf
[global]
workgroup = DMSWARE
Wins support = yes
dns proxy = yes
#name resolve order = host wins bcast
name resolve order = wins lmhosts hosts bcast
local master = yes
#domain master = yes
domain master = no
preferred master = auto
enhanced browsing = yes
#encrypt password = yes # YES = Default
Be aware this doesn't solve all the issues with a firewall
Net rpc testjoin only works if you specify -S <servername> attribute.
Looks like Samba falls on BCAST with some commands, ignoring every over name
solving mechanism
Hope this helps
Gianluca
More information about the samba
mailing list