[Samba] Can't join AD anymore after migration to 3.0.30
Guenther Deschner
gd at samba.org
Thu Jun 5 17:47:00 GMT 2008
Jens Nissen wrote:
> I doff my hat, indeed, my SBS200 is running SP1.
>
> (Microsoft never provided updates for SBS2000 beyond SP1,
> there were individual updates for Windows, Exchange, SQL, IIE ... but
> they were partially incompatible with SBS2000, so there might be more
> machines out there!!)
>
> I updated to SP4, now I get the next error:
> NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
>
> Is it possible, that this is already a known issue in Samba 3.2.0 and
> needs to be back-ported to Samba 3.0.30?
> See
> http://lists-archives.org/samba/34051-net-ads-join-fails-with-nt_status_nologon_workstation_trust_account.html
>
Yeah, it's a known issue.
Can you please try attached patch?
Thanks,
Guenther
--
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner at redhat.com
Samba Team gd at samba.org
-------------- next part --------------
>From 97a81114e608927af3b94cd1c561e7f8359907d2 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?G=C3=BCnther=20Deschner?= <gd at samba.org>
Date: Thu, 5 Jun 2008 16:26:10 +0200
Subject: [PATCH] net: fix joining w2k domains in "security = ads".
This repairs the join verification code which needs to try an anonymous
connection (as an authenticated connection will always fail with
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT).
Guenther
---
source/utils/net.c | 61 ++++++++++++++++++++++++------------------
source/utils/net_rpc_join.c | 6 +---
2 files changed, 36 insertions(+), 31 deletions(-)
diff --git a/source/utils/net.c b/source/utils/net.c
index 5a81edb..d8ea462 100644
--- a/source/utils/net.c
+++ b/source/utils/net.c
@@ -181,27 +181,30 @@ NTSTATUS connect_to_service(struct cli_state **c, struct in_addr *server_ip,
opt_user_name, opt_workgroup,
opt_password, 0, Undefined, NULL);
- if (NT_STATUS_IS_OK(nt_status)) {
+ if (NT_STATUS_IS_OK(nt_status) ||
+ NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT) ||
+ NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT) ||
+ NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
return nt_status;
- } else {
- d_fprintf(stderr, "Could not connect to server %s\n", server_name);
+ }
- /* Display a nicer message depending on the result */
+ d_fprintf(stderr, "Could not connect to server %s\n", server_name);
- if (NT_STATUS_V(nt_status) ==
- NT_STATUS_V(NT_STATUS_LOGON_FAILURE))
- d_fprintf(stderr, "The username or password was not correct.\n");
+ /* Display a nicer message depending on the result */
- if (NT_STATUS_V(nt_status) ==
- NT_STATUS_V(NT_STATUS_ACCOUNT_LOCKED_OUT))
- d_fprintf(stderr, "The account was locked out.\n");
+ if (NT_STATUS_V(nt_status) ==
+ NT_STATUS_V(NT_STATUS_LOGON_FAILURE))
+ d_fprintf(stderr, "The username or password was not correct.\n");
- if (NT_STATUS_V(nt_status) ==
- NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
- d_fprintf(stderr, "The account was disabled.\n");
+ if (NT_STATUS_V(nt_status) ==
+ NT_STATUS_V(NT_STATUS_ACCOUNT_LOCKED_OUT))
+ d_fprintf(stderr, "The account was locked out.\n");
- return nt_status;
- }
+ if (NT_STATUS_V(nt_status) ==
+ NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
+ d_fprintf(stderr, "The account was disabled.\n");
+
+ return nt_status;
}
@@ -481,7 +484,7 @@ struct cli_state *net_make_ipc_connection_ex( const char *domain, const char *se
char *server_name = NULL;
struct in_addr server_ip;
struct cli_state *cli = NULL;
- NTSTATUS nt_status;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
if ( !server || !ip ) {
if (!net_find_server(domain, flags, &server_ip, &server_name)) {
@@ -493,25 +496,31 @@ struct cli_state *net_make_ipc_connection_ex( const char *domain, const char *se
server_ip = *ip;
}
+ if (opt_user_name && opt_password) {
+ nt_status = connect_to_ipc(&cli, &server_ip, server_name);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ goto connected;
+ }
+ }
if (flags & NET_FLAGS_ANONYMOUS) {
nt_status = connect_to_ipc_anonymous(&cli, &server_ip, server_name);
- } else {
- nt_status = connect_to_ipc(&cli, &server_ip, server_name);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ goto connected;
+ }
}
+ SAFE_FREE(server_name);
+ d_fprintf(stderr, "Connection failed: %s\n",
+ nt_errstr(nt_status));
+ return NULL;
+
+ connected:
/* store the server in the affinity cache if it was a PDC */
if ( (flags & NET_FLAGS_PDC) && NT_STATUS_IS_OK(nt_status) )
saf_store( cli->server_domain, cli->desthost );
- SAFE_FREE(server_name);
- if (NT_STATUS_IS_OK(nt_status)) {
- return cli;
- } else {
- d_fprintf(stderr, "Connection failed: %s\n",
- nt_errstr(nt_status));
- return NULL;
- }
+ return cli;
}
static int net_user(int argc, const char **argv)
diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c
index 63e77b3..361a319 100644
--- a/source/utils/net_rpc_join.c
+++ b/source/utils/net_rpc_join.c
@@ -45,7 +45,7 @@ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip )
{
uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
enum security_types sec;
- unsigned int conn_flags = NET_FLAGS_PDC;
+ unsigned int conn_flags = NET_FLAGS_PDC | NET_FLAGS_ANONYMOUS;
struct cli_state *cli = NULL;
struct rpc_pipe_client *pipe_hnd = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
@@ -58,10 +58,6 @@ int net_rpc_join_ok(const char *domain, const char *server, struct in_addr *ip )
connection here, as it may be denied by server's local policy. */
net_use_machine_account();
- } else {
- /* some servers (e.g. WinNT) don't accept machine-authenticated
- smb connections */
- conn_flags |= NET_FLAGS_ANONYMOUS;
}
/* Connect to remote machine */
--
1.5.5.1
More information about the samba
mailing list