[Samba] PCD domain menbership (was: winbind authentification trouble)

Stefan Froehlich samba at froehlich.priv.at
Thu Sep 9 13:06:46 MDT 2010

Dale, thanks for your response.

On Thu, Sep 09, 2010 at 12:50:46PM -0500, Dale Schroeder wrote:
> I used the pam settings from this article as a starting point.
> http://www.enterprisenetworkingplanet.com/netos/article.php/10951_3502441_1

I know the mechanics of pam quite well and thus saw that the differences
between my setup and the one of this article are neglectible. I kept on
trying, however, and at some point I found out that the error messages
are... misleading: the real problem is on the other end of the line.

I did:

| herkules:~# pdbedit -a -m -u gatekeeper
| Unix username:        gatekeeper$
| NT username:          
| Account Flags:        [W          ]
| [...]
| gatekeeper:~# net join member
| Joined domain SYNTH.

On herkules, this is (I assume) confirmed in the server logs:

| secrets_store_schannel_session_info: stored schannel info with key SECRETS/SCHANNEL/GATEKEEPER
| _netr_ServerPasswordSet: Server Password Set by remote machine:[GATEKEEPER] on account [GATEKEEPER$]

However, as soon as the message "invalid parameter" is generated on
client side, I can see in the server log:

| _netr_LogonSamLogon: creds_server_step failed. Rejecting auth request from client GATEKEEPER machine account GATEKEEPER$

The reaseon for this can easily be googled: "Your machine thinks it is
part of the domain, but your DC/sever does not". What I could not find
is: the cause for such a behaviour (several other machines can
authenticate with the same PDC quite well, so I assume the basic
configuration to be fine).


More information about the samba mailing list