[Samba] Can't join AD anymore after migration to 3.0.30

Guenther Deschner gd at samba.org
Thu Jun 5 17:47:00 GMT 2008


Jens Nissen wrote:
> I doff my hat, indeed, my SBS200 is running SP1.
> 
> (Microsoft never provided updates for SBS2000 beyond SP1,
> there were individual updates for Windows, Exchange, SQL, IIE ... but 
> they were partially incompatible with SBS2000, so there might be more 
> machines out there!!)
> 
> I updated to SP4, now I get the next error: 
> NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
> 
> Is it possible, that this is already a known issue in Samba 3.2.0 and 
> needs to be back-ported to Samba 3.0.30?
> See 
> http://lists-archives.org/samba/34051-net-ads-join-fails-with-nt_status_nologon_workstation_trust_account.html 
> 

Yeah, it's a known issue.

Can you please try attached patch?

Thanks,
Guenther
-- 
Günther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner at redhat.com
Samba Team                              gd at samba.org
-------------- next part --------------
>From 97a81114e608927af3b94cd1c561e7f8359907d2 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Thu, 5 Jun 2008 16:26:10 +0200
Subject: [PATCH] net: fix joining w2k domains in "security = ads".

This repairs the join verification code which needs to try an anonymous
connection (as an authenticated connection will always fail with
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT).

Guenther
---
 source/utils/net.c          |   61 ++++++++++++++++++++++++------------------
 source/utils/net_rpc_join.c |    6 +---
 2 files changed, 36 insertions(+), 31 deletions(-)

diff --git a/source/utils/net.c b/source/utils/net.c
index 5a81edb..d8ea462 100644
--- a/source/utils/net.c
+++ b/source/utils/net.c
@@ -181,27 +181,30 @@ NTSTATUS connect_to_service(struct cli_state **c, struct in_addr *server_ip,
 					opt_user_name, opt_workgroup,
 					opt_password, 0, Undefined, NULL);
 
-	if (NT_STATUS_IS_OK(nt_status)) {
+	if (NT_STATUS_IS_OK(nt_status) ||
+	    NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT) ||
+	    NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT) ||
+	    NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
 		return nt_status;
-	} else {
-		d_fprintf(stderr, "Could not connect to server %s\n", server_name);
+	}
 
-		/* Display a nicer message depending on the result */
+	d_fprintf(stderr, "Could not connect to server %s\n", server_name);
 
-		if (NT_STATUS_V(nt_status) == 
-		    NT_STATUS_V(NT_STATUS_LOGON_FAILURE))
-			d_fprintf(stderr, "The username or password was not correct.\n");
+	/* Display a nicer message depending on the result */
 
-		if (NT_STATUS_V(nt_status) == 
-		    NT_STATUS_V(NT_STATUS_ACCOUNT_LOCKED_OUT))
-			d_fprintf(stderr, "The account was locked out.\n");
+	if (NT_STATUS_V(nt_status) ==
+	    NT_STATUS_V(NT_STATUS_LOGON_FAILURE))
+		d_fprintf(stderr, "The username or password was not correct.\n");
 
-		if (NT_STATUS_V(nt_status) == 
-		    NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
-			d_fprintf(stderr, "The account was disabled.\n");
+	if (NT_STATUS_V(nt_status) ==
+	    NT_STATUS_V(NT_STATUS_ACCOUNT_LOCKED_OUT))
+		d_fprintf(stderr, "The account was locked out.\n");
 
-		return nt_status;
-	}
+	if (NT_STATUS_V(nt_status) ==
+	    NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
+		d_fprintf(stderr, "The account was disabled.\n");
+
+	return nt_status;
 }
 
 
@@ -481,7 +484,7 @@ struct cli_state *net_make_ipc_connection_ex( const char *domain, const char *se
 	char *server_name = NULL;
 	struct in_addr server_ip;
 	struct cli_state *cli = NULL;
-	NTSTATUS nt_status;
+	NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
 
 	if ( !server || !ip ) {
 		if (!net_find_server(domain, flags, &server_ip, &server_name)) {
@@ -493,25 +496,31 @@ struct cli_state *net_make_ipc_connection_ex( const char *domain, const char *se
 		server_ip = *ip;
 	}
 
+	if (opt_user_name && opt_password) {
+		nt_status = connect_to_ipc(&cli, &server_ip, server_name);
+		if (NT_STATUS_IS_OK(nt_status)) {
+			goto connected;
+		}
+	}
 	if (flags & NET_FLAGS_ANONYMOUS) {
 		nt_status = connect_to_ipc_anonymous(&cli, &server_ip, server_name);
-	} else {
-		nt_status = connect_to_ipc(&cli, &server_ip, server_name);
+		if (NT_STATUS_IS_OK(nt_status)) {
+			goto connected;
+		}
 	}
 
+	SAFE_FREE(server_name);
+	d_fprintf(stderr, "Connection failed: %s\n",
+		  nt_errstr(nt_status));
+	return NULL;
+
+ connected:
 	/* store the server in the affinity cache if it was a PDC */
 
 	if ( (flags & NET_FLAGS_PDC) && NT_STATUS_IS_OK(nt_status) )
 		saf_store( cli->server_domain, cli->desthost );
 
-	SAFE_FREE(server_name);
-	if (NT_STATUS_IS_OK(nt_status)) {
-		return cli;
-	} else {
-		d_fprintf(stderr, "Connection failed: %s\n",
-			  nt_errstr(nt_status));
-		return NULL;
-	}
+	return cli;
 }
 
 static int net_user(int argc, const char **argv)
diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c
index 63e77b3..361a319 100644
--- a/source/utils/net_rpc_join.c
+++ b/source/utils/net_rpc_join.c
@@ -45,7 +45,7 @@ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip )
 {
 	uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
 	enum security_types sec;
-	unsigned int conn_flags = NET_FLAGS_PDC;
+	unsigned int conn_flags = NET_FLAGS_PDC | NET_FLAGS_ANONYMOUS;
 	struct cli_state *cli = NULL;
 	struct rpc_pipe_client *pipe_hnd = NULL;
 	struct rpc_pipe_client *netlogon_pipe = NULL;
@@ -58,10 +58,6 @@ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip )
 		   connection here, as it may be denied by server's local policy. */
 		net_use_machine_account();
 
-	} else {
-		/* some servers (e.g. WinNT) don't accept machine-authenticated
-		   smb connections */
-		conn_flags |= NET_FLAGS_ANONYMOUS;
 	}
 
 	/* Connect to remote machine */
-- 
1.5.5.1



More information about the samba mailing list