[Samba] PCD domain menbership (was: winbind authentification trouble)
samba at froehlich.priv.at
Thu Sep 9 13:06:46 MDT 2010
Dale, thanks for your response.
On Thu, Sep 09, 2010 at 12:50:46PM -0500, Dale Schroeder wrote:
> I used the pam settings from this article as a starting point.
I know the mechanics of pam quite well and thus saw that the differences
between my setup and the one of this article are neglectible. I kept on
trying, however, and at some point I found out that the error messages
are... misleading: the real problem is on the other end of the line.
| herkules:~# pdbedit -a -m -u gatekeeper
| Unix username: gatekeeper$
| NT username:
| Account Flags: [W ]
| gatekeeper:~# net join member
| Joined domain SYNTH.
On herkules, this is (I assume) confirmed in the server logs:
| secrets_store_schannel_session_info: stored schannel info with key SECRETS/SCHANNEL/GATEKEEPER
| _netr_ServerPasswordSet: Server Password Set by remote machine:[GATEKEEPER] on account [GATEKEEPER$]
However, as soon as the message "invalid parameter" is generated on
client side, I can see in the server log:
| _netr_LogonSamLogon: creds_server_step failed. Rejecting auth request from client GATEKEEPER machine account GATEKEEPER$
The reaseon for this can easily be googled: "Your machine thinks it is
part of the domain, but your DC/sever does not". What I could not find
is: the cause for such a behaviour (several other machines can
authenticate with the same PDC quite well, so I assume the basic
configuration to be fine).
More information about the samba