[Samba] enable client to join domain with no or any password?

David Mathog mathog at caltech.edu
Wed Aug 18 15:58:11 MDT 2010 

> It looks like I am getting a little ahead of myself.
Make that WAY ahead of myself.

I _really_ do not understand the transaction between the client and the
server when it joins or removes itself from a domain.  I monitored this
with log level set to 31 and wireshark running with "host (server
address)".  Then tried to remove a client from the domain first with
powershell's "remove-computer" and then with 
  start->control panels->system
and change the name.

(on client)

powershell
remove-computer -cred root
(enter password)
(enter Y)

triggers on server, with logging at 31

[2010/08/18 14:04:38,  5] auth/token_util.c:522(debug_nt_user_token)
  NT user token: (NULL)
[2010/08/18 14:04:38,  5] auth/token_util.c:548(debug_unix_user_token)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2010/08/18 14:04:38, 10] passdb/pdb_smbpasswd.c:1283(smbpasswd_getsampwnam)
  getsampwnam (smbpasswd): search by name: root

(runs through a zillion users like this one)

[2010/08/18 14:04:38,  5] passdb/pdb_smbpasswd.c:527(getsmbfilepwent)
  getsmbfilepwent: returning passwd entry for user auser, uid 2288

(until it gets to this)

[2010/08/18 14:04:38,  5] passdb/pdb_smbpasswd.c:527(getsmbfilepwent)
  getsmbfilepwent: returning passwd entry for user root, uid 0
[2010/08/18 14:04:38,  7] passdb/pdb_smbpasswd.c:346(endsmbfilepwent)
  endsmbfilepwent_internal: closed password file.
[2010/08/18 14:04:38, 10] passdb/pdb_smbpasswd.c:1305(smbpasswd_getsampwnam)
  getsampwnam (smbpasswd): found by name: root
[2010/08/18 14:04:38,  5] lib/username.c:133(Get_Pwnam_alloc)
  Finding user root
[2010/08/18 14:04:38,  5] lib/username.c:77(Get_Pwnam_internals)
  Trying _Get_Pwnam(), username as lowercase is root
[2010/08/18 14:04:38,  5] lib/username.c:110(Get_Pwnam_internals)
  Get_Pwnam_internals did find user [root]!
[2010/08/18 14:04:38, 10] passdb/pdb_get_set.c:607(pdb_set_username)
  pdb_set_username: setting username root, was 
[2010/08/18 14:04:38, 11] passdb/pdb_get_set.c:509(pdb_set_init_flags)
  element 12 -> now SET
[2010/08/18 14:04:38, 10] passdb/pdb_get_set.c:676(pdb_set_fullname)
  pdb_set_full_name: setting full name root, was 
[2010/08/18 14:04:38, 11] passdb/pdb_get_set.c:509(pdb_set_init_flags)
  element 13 -> now SET
[2010/08/18 14:04:38, 10] passdb/pdb_get_set.c:630(pdb_set_domain)
  pdb_set_domain: setting domain SAF, was 
[2010/08/18 14:04:38, 11] passdb/pdb_get_set.c:521(pdb_set_init_flags)
  element 14 -> now DEFAULT
[2010/08/18 14:04:38, 11] passdb/pdb_get_set.c:521(pdb_set_init_flags)
  element 20 -> now DEFAULT
[2010/08/18 14:04:38, 10] passdb/pdb_get_set.c:722(pdb_set_profile_path)
  pdb_set_profile_path: setting profile path
\\safserver\profiles\root\UNKNOWN, was 

(it is trying to do a normal login, but this isn't a normal account, in
particular it does NOT have a home directory or an existing profile)

Meanwhile wireshark on the client shows

5	12:05:15.585593000	131.215.12.46	131.215.12.42	SMB_NETLOGON	SAM LOGON
request from client
6	12:05:15.586523000	131.215.12.42	131.215.12.46	SMB_NETLOGON	SAM
Response - user unknown
7	12:05:15.685100000	131.215.12.46	131.215.12.42	SMB_NETLOGON	Query for
PDC from SAF04
8	12:05:15.685790000	131.215.12.42	131.215.12.46	SMB_NETLOGON	Response
from PDC: host SAFSERVER, domain SAF

(this disconnect fails)

(On client use 
  start-> control panel -> SYSTEM
to change SAF (Domain) -> NOTSAF (workgroup)

Wireshark shows the same 4 records as above, of course with a different
time stamp, but BEFORE the client prompts for an account to use.  Enter
the account info (root/password for room in smbpasswd) and hit return
and nothing new shows up in wireshark!  Huh????  How can the client
remove itself from the server without telling the server?  Perhaps that
actually happens at the mandatory reboot, where, inconveniently,
wireshark is not running on the client.)


FINALLY, just to make life really strange, this machine has no default
suffix ("").  That isn't the strange part, there is a SearchList
registry entry ("bio.caltech.edu,caltech.edu") and since the machine
answers to both machine.bio.caltech.edu and machine.caltech.edu
everything works fine.  When the machine is added back to the Samba
domain with

   start -> control panel -> system

W7 pops up an error message about the default suffix, and changes the
suffix to the domain name at the mandatory reboot.  Yes, it was told NOT
to do this (under more options).  This is a problem as the Domain name
is not a proper DNS suffix, so that screws up the network.  It can be
set back to "" from a command prompt with:

reg add HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v
Domain /t REG_SZ /d "" /f

but at the next boot the value is once again filled in with the Samba
domain.  In a command prompt

ping thismachine
(shows thismachine.SAF)

but

ping anothermachine
(shows anothermachine.bio.caltech.edu)

W7 seems hell bent on filling in the Primary DNS Suffix with the
controller's domain.  WHY?

Can somebody please shed some light on (any of) this?

Thank you,

David Mathog
mathog at caltech.edu
Manager, Sequence Analysis Facility, Biology Division, Caltech

More information about the samba mailing list