Hi everybody,
I have a problem with the join NT domain procedure.
I would like to use the "security = domain" authentification mode.
Therefore, I followed the instructions found in the DOMAIN_MEMBER.txt
file, by Jeremy Allison.
Here is my config :
samba box (newly configured) :
hostname : host201
netbios name : host201
OS : Solaris 7
samba version : 2.0.7
NT domain :
domain name : DOM5
PDC : PDC407
PDC OS : NT 4 service pack 5
WINS server : WINS406 which is also NT 4 / SP 5
Here is what I get :
step 1 : On the PDC (PDC407), adding the netbios name of the samba box
(host201) whith the "server manager for domains" tool, as a
"Windows NT
workstation or server".
=> OK.
step 2 : stopping the samba daemons on the samba box (host201)
=> OK.
step 3 : joining the domain with the command :
smbpasswd -j DOM5 -r PDC407
=> not OK ; damn !
I got the following messages :
--
host201 # smbpasswd -j DOM5 -r PDC407
cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD
modify_trust_password: unable to change password for machine HOST201 in domain
DOM5 to Domain controller PDC407. Error was NT_STATUS_WRONG_PASSWORD.
2001/02/20 16:29:18 : change_trust_account_password: Failed to change password
for domain DOM5.
Unable to join domain DOM5.
host201 #
--
Here is an extract of my smb.conf file when in step 1 :
--
[global]
workgroup = DOM5
netbios name = host201
security = server
password server = PDC407
wins server = WINS406
--
I checked the samba mailing list archive from january 2000 to february
2001 but found nothing regarding this problem.
I believe that the step 1 phase would create a trust account for the
samba box, with a well-known initial trust account password. This
allows smbpasswd to join the domain. Maybe there is something wrong in
that area ? Unfortunately, I don't know the NT mecanisms well enough to
figure out.
If anyone has any idea... please help !
Thanks,
Damien.
Roman, James (J.D.)
2001-Feb-20 17:09 UTC
Join NT Domain : password problem, or so it seems
Before you try again. Search to see if there is a (NTDOMAIN NAME).(SAMBA
SERVER NAME).mac file on your system. If so delete it. Go back to your NT
PDC and remove the samba machines account from server manager. WAIT 15
MINUTES FOR THE NT SAM DATABASE TO UPDATE!!!!
Now start from scratch. Change your smb.conf, so that netbios name = HOST201
(All CAPS) (By the way HOST201 is unique on the network, isn't it?) Re-add
the Samba server (HOST201) to the domain as a workstation in server manager.
Now try the smbpasswd -j DOM5 -r PDC407 line again (Make sure you are root,
and that you have write access to the samba installation directory, probably
the same as where your smbpasswd file is located.)
Let me know if this helps.
-----Original Message-----
From: Damien Veillon [mailto:Damien.Veillon@alcatel.fr]
Sent: Tuesday, February 20, 2001 11:14 AM
To: samba@us5.samba.org
Subject: Join NT Domain : password problem, or so it seems
Hi everybody,
I have a problem with the join NT domain procedure.
I would like to use the "security = domain" authentification mode.
Therefore, I followed the instructions found in the DOMAIN_MEMBER.txt
file, by Jeremy Allison.
Here is my config :
samba box (newly configured) :
hostname : host201
netbios name : host201
OS : Solaris 7
samba version : 2.0.7
NT domain :
domain name : DOM5
PDC : PDC407
PDC OS : NT 4 service pack 5
WINS server : WINS406 which is also NT 4 / SP 5
Here is what I get :
step 1 : On the PDC (PDC407), adding the netbios name of the samba box
(host201) whith the "server manager for domains" tool, as a
"Windows NT
workstation or server".
=> OK.
step 2 : stopping the samba daemons on the samba box (host201)
=> OK.
step 3 : joining the domain with the command :
smbpasswd -j DOM5 -r PDC407
=> not OK ; damn !
I got the following messages :
--
host201 # smbpasswd -j DOM5 -r PDC407
cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD
modify_trust_password: unable to change password for machine HOST201 in
domain DOM5 to Domain controller PDC407. Error was NT_STATUS_WRONG_PASSWORD.
2001/02/20 16:29:18 : change_trust_account_password: Failed to change
password for domain DOM5.
Unable to join domain DOM5.
host201 #
--
Here is an extract of my smb.conf file when in step 1 :
--
[global]
workgroup = DOM5
netbios name = host201
security = server
password server = PDC407
wins server = WINS406
--
I checked the samba mailing list archive from january 2000 to february
2001 but found nothing regarding this problem.
I believe that the step 1 phase would create a trust account for the
samba box, with a well-known initial trust account password. This
allows smbpasswd to join the domain. Maybe there is something wrong in
that area ? Unfortunately, I don't know the NT mecanisms well enough to
figure out.
If anyone has any idea... please help !
Thanks,
Damien.
Roman, James (J.D.)
2001-Feb-20 19:30 UTC
Join NT Domain : password problem, or so it seems
Are all the machines on the same subnet? Or more specifically, are you on
the same subnet as PDC407? Try "nmblookup -M - -T" and see if your PDC
or
WINS server comes back.
One other distant possibility, have you set Encrypt Passwords = Yes?
-----Original Message-----
From: Damien Veillon [mailto:Damien.Veillon@alcatel.fr]
Sent: Tuesday, February 20, 2001 12:49 PM
To: samba@us5.samba.org
Subject: RE: Join NT Domain : password problem, or so it seems
James, thanks for your answer... unfortunetely your suggestions don't
fix my problem !
OK, I checked/tried the followings :
-> there is no DOM5.HOST201.mac file (actually, the private directory
only contains the MACHINE.SID file)
-> I removed the samba machine account, waited more than 15 minutes.
I then started from scrach (included rm private/MACHINE.SID file)
with all the netbios names in CAPS ("netbios name = HOST201",
"password server = DOM407" and so on) (by the way, yes, hostname
HOST201 is unique on the network !)
-> I then re-added the samba server (HOST201) to the domain as a
workstation in server manager and tried the "smbpasswd -j DOM5 -r
PDC407"
line again (I am root, so I have write access to the samba
installation directory)
I have exactly the same problem :-(
Roman, James (J.D.) a ?crit :> Before you try again. Search to see if there is a (NTDOMAIN NAME).(SAMBA
> SERVER NAME).mac file on your system. If so delete it. Go back to your
NT> PDC and remove the samba machines account from server manager. WAIT 15
> MINUTES FOR THE NT SAM DATABASE TO UPDATE!!!!
>
> Now start from scratch. Change your smb.conf, so that netbios name HOST201
> (All CAPS) (By the way HOST201 is unique on the network, isn't it?)
Re-add> the Samba server (HOST201) to the domain as a workstation in server
manager.> Now try the smbpasswd -j DOM5 -r PDC407 line again (Make sure you are
root,> and that you have write access to the samba installation directory,
probably> the same as where your smbpasswd file is located.)
>
> Let me know if this helps.
>
> -----Original Message-----
> From: Damien Veillon [mailto:Damien.Veillon@alcatel.fr]
> Sent: Tuesday, February 20, 2001 11:14 AM
> To: samba@us5.samba.org
> Subject: Join NT Domain : password problem, or so it seems
>
>
>
> Hi everybody,
>
> I have a problem with the join NT domain procedure.
> I would like to use the "security = domain" authentification
mode.
> Therefore, I followed the instructions found in the DOMAIN_MEMBER.txt
> file, by Jeremy Allison.
>
> Here is my config :
>
> samba box (newly configured) :
> hostname : host201
> netbios name : host201
> OS : Solaris 7
> samba version : 2.0.7
> NT domain :
> domain name : DOM5
> PDC : PDC407
> PDC OS : NT 4 service pack 5
> WINS server : WINS406 which is also NT 4 / SP 5
>
>
> Here is what I get :
>
> step 1 : On the PDC (PDC407), adding the netbios name of the samba box
> (host201) whith the "server manager for domains" tool, as a
"Windows NT
> workstation or server".
> => OK.
>
> step 2 : stopping the samba daemons on the samba box (host201)
> => OK.
>
> step 3 : joining the domain with the command :
>
> smbpasswd -j DOM5 -r PDC407
>
> => not OK ; damn !
>
> I got the following messages :
>
> --
> host201 # smbpasswd -j DOM5 -r PDC407
> cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD
> modify_trust_password: unable to change password for machine HOST201 in
> domain DOM5 to Domain controller PDC407. Error was
NT_STATUS_WRONG_PASSWORD.> 2001/02/20 16:29:18 : change_trust_account_password: Failed to change
> password for domain DOM5.
> Unable to join domain DOM5.
> host201 #
> --
>
> Here is an extract of my smb.conf file when in step 1 :
>
> --
> [global]
> workgroup = DOM5
> netbios name = host201
> security = server
> password server = PDC407
> wins server = WINS406
> --
>
> I checked the samba mailing list archive from january 2000 to february
> 2001 but found nothing regarding this problem.
>
> I believe that the step 1 phase would create a trust account for the
> samba box, with a well-known initial trust account password. This
> allows smbpasswd to join the domain. Maybe there is something wrong in
> that area ? Unfortunately, I don't know the NT mecanisms well enough to
> figure out.
>
> If anyone has any idea... please help !
> Thanks,
> Damien.
>
>
>
>
>
A little more infos...
Here are the messages returned by smbpasswd -j with the debug level 4 :
--
host201 # smbpasswd -j DOM5 -r PDC407 -D 4
resolve_lmhosts: Attempting lmhosts lookup for name PDC407<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/lib/lmhosts. Error
was No such file or directory
resolve_hosts: Attempting host lookup for name PDC407<0x20>
Connecting to X.Y.233.6 at port 139
cli_net_req_chal: LSA Request Challenge from PDC407 to HOST201: 8CB9F5B242A76A50
cred_session_key
cred_create
cli_net_auth2: srv:\\PDC407 acct:HOST201$ sc:2 mc: HOST201 chal 7DA1DA1A70A6EF0D
neg: 1ff
cred_create
cred_assert
cred_create
cli_net_srv_pwset: srv:\\PDC407 acct:HOST201$ sc: 2 mc: HOST201 clnt
1866D40E1ABADA75 3a93aeb4
cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD
modify_trust_password: unable to change password for machine HOST201 in domain
DOM5 to Domain controller PDC407. Error was NT_STATUS_WRONG_PASSWORD.
2001/02/21 13:04:04 : change_trust_account_password: Failed to change password
for domain DOM5.
Unable to join domain DOM5.
host201 #
--
Damien.
------ forwarded message ------
From: Damien Veillon <Damien.Veillon@alcatel.fr>
Sujet: RE: Join NT Domain : password problem, or so it seems
To: Samba mailing list <samba@us5.samba.org>
Hi James (and others !)
All the machines are on the same subnet.
HOST201 (samba box) is X.Y.232.28 with netmask 255.255.252.0
PDC407 (NT PDC) is X.Y.233.6 with netmask 255.255.252.0
WINS406 (NT WINS server) is X.Y.233.5 with netmask 255.255.252.0
Here is the result of the "nmblookup -M - -T" command :
--
host201 # nmblookup -M - -T
querying `a__MSBROWSE__a on X.Y.235.255
X.Y.233.5 `a__MSBROWSE__a<01>
X.Y.233.6 `a__MSBROWSE__a<01>
X.Y.233.43 `a__MSBROWSE__a<01>
X.Y.233.42 `a__MSBROWSE__a<01>
querying `a__MSBROWSE__a on X.Y.235.255
X.Y.233.5 `a__MSBROWSE__a<01>
X.Y.233.43 `a__MSBROWSE__a<01>
X.Y.233.6 `a__MSBROWSE__a<01>
X.Y.233.42 `a__MSBROWSE__a<01>
host201 #
--
...sounds ok to me !
On my first try, I didn't set "Encrypt Passwords = Yes". However,
I
already tried that yesterday (this was one of my tries actually). It
didn't help. I think this parameter must be set before restarting the
samba daemons, after a successful join. It rules the authentification
between the client and the Domain controler (PDC or BDC) but is not
used during the joining process... well, that's what I understood !
Roman, James (J.D.) a ?crit :> Are all the machines on the same subnet? Or more specifically, are you on
> the same subnet as PDC407? Try "nmblookup -M - -T" and see if
your PDC or
> WINS server comes back.
>
> One other distant possibility, have you set Encrypt Passwords = Yes?
>
> -----Original Message-----
> From: Damien Veillon [mailto:Damien.Veillon@alcatel.fr]
> Sent: Tuesday, February 20, 2001 12:49 PM
> To: samba@us5.samba.org
> Subject: RE: Join NT Domain : password problem, or so it seems
>
>
>
> James, thanks for your answer... unfortunetely your suggestions don't
> fix my problem !
>
> OK, I checked/tried the followings :
> -> there is no DOM5.HOST201.mac file (actually, the private directory
> only contains the MACHINE.SID file)
> -> I removed the samba machine account, waited more than 15 minutes.
> I then started from scrach (included rm private/MACHINE.SID file)
> with all the netbios names in CAPS ("netbios name =
HOST201",
> "password server = DOM407" and so on) (by the way, yes,
hostname
> HOST201 is unique on the network !)
> -> I then re-added the samba server (HOST201) to the domain as a
> workstation in server manager and tried the "smbpasswd -j DOM5 -r
> PDC407"
> line again (I am root, so I have write access to the samba
> installation directory)
>
> I have exactly the same problem :-(
>
>
>
> Roman, James (J.D.) a ?crit :
> Before you try again. Search to see if there is a (NTDOMAIN NAME).(SAMBA
> SERVER NAME).mac file on your system. If so delete it. Go back to your
> NT
> PDC and remove the samba machines account from server manager. WAIT 15
> MINUTES FOR THE NT SAM DATABASE TO UPDATE!!!!
>
> Now start from scratch. Change your smb.conf, so that netbios name >
HOST201
> (All CAPS) (By the way HOST201 is unique on the network, isn't it?)
> Re-add
> the Samba server (HOST201) to the domain as a workstation in server
> manager.
> Now try the smbpasswd -j DOM5 -r PDC407 line again (Make sure you are
> root,
> and that you have write access to the samba installation directory,
> probably
> the same as where your smbpasswd file is located.)
>
> Let me know if this helps.
>
> -----Original Message-----
> From: Damien Veillon [mailto:Damien.Veillon@alcatel.fr]
> Sent: Tuesday, February 20, 2001 11:14 AM
> To: samba@us5.samba.org
> Subject: Join NT Domain : password problem, or so it seems
>
>
>
> Hi everybody,
>
> I have a problem with the join NT domain procedure.
> I would like to use the "security = domain" authentification
mode.
> Therefore, I followed the instructions found in the DOMAIN_MEMBER.txt
> file, by Jeremy Allison.
>
> Here is my config :
>
> samba box (newly configured) :
> hostname : host201
> netbios name : host201
> OS : Solaris 7
> samba version : 2.0.7
> NT domain :
> domain name : DOM5
> PDC : PDC407
> PDC OS : NT 4 service pack 5
> WINS server : WINS406 which is also NT 4 / SP 5
>
>
> Here is what I get :
>
> step 1 : On the PDC (PDC407), adding the netbios name of the samba box
> (host201) whith the "server manager for domains" tool, as a
"Windows NT
> workstation or server".
> => OK.
>
> step 2 : stopping the samba daemons on the samba box (host201)
> => OK.
>
> step 3 : joining the domain with the command :
>
> smbpasswd -j DOM5 -r PDC407
>
> => not OK ; damn !
>
> I got the following messages :
>
> --
> host201 # smbpasswd -j DOM5 -r PDC407
> cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD
> modify_trust_password: unable to change password for machine HOST201 in
> domain DOM5 to Domain controller PDC407. Error was
NT_STATUS_WRONG_PASSWORD.
> 2001/02/20 16:29:18 : change_trust_account_password: Failed to change
> password for domain DOM5.
> Unable to join domain DOM5.
> host201 #
> --
>
> Here is an extract of my smb.conf file when in step 1 :
>
> --
> [global]
> workgroup = DOM5
> netbios name = host201
> security = server
> password server = PDC407
> wins server = WINS406
> --
>
> I checked the samba mailing list archive from january 2000 to february
> 2001 but found nothing regarding this problem.
>
> I believe that the step 1 phase would create a trust account for the
> samba box, with a well-known initial trust account password. This
> allows smbpasswd to join the domain. Maybe there is something wrong in
> that area ? Unfortunately, I don't know the NT mecanisms well enough to
> figure out.
>
> If anyone has any idea... please help !
> Thanks,
> Damien.
Roman, James (J.D.)
2001-Feb-21 17:10 UTC
Join NT Domain : password problem, or so it seems
I've got to say I'm a little stumped by this one. It clearly is an
authentication problem. Out of curiosity what version of Samba and NT are we
dealing with?
-----Original Message-----
From: Damien Veillon [mailto:Damien.Veillon@alcatel.fr]
Sent: Wednesday, February 21, 2001 7:14 AM
To: Samba mailing list
Subject: RE: Join NT Domain : password problem, or so it seems
A little more infos...
Here are the messages returned by smbpasswd -j with the debug level 4 :
--
host201 # smbpasswd -j DOM5 -r PDC407 -D 4
resolve_lmhosts: Attempting lmhosts lookup for name PDC407<0x20>
startlmhosts: Can't open lmhosts file /usr/local/samba/lib/lmhosts. Error
was No such file or directory
resolve_hosts: Attempting host lookup for name PDC407<0x20>
Connecting to X.Y.233.6 at port 139
cli_net_req_chal: LSA Request Challenge from PDC407 to HOST201:
8CB9F5B242A76A50
cred_session_key
cred_create
cli_net_auth2: srv:\\PDC407 acct:HOST201$ sc:2 mc: HOST201 chal
7DA1DA1A70A6EF0D neg: 1ff
cred_create
cred_assert
cred_create
cli_net_srv_pwset: srv:\\PDC407 acct:HOST201$ sc: 2 mc: HOST201 clnt
1866D40E1ABADA75 3a93aeb4
cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD
modify_trust_password: unable to change password for machine HOST201 in
domain DOM5 to Domain controller PDC407. Error was NT_STATUS_WRONG_PASSWORD.
2001/02/21 13:04:04 : change_trust_account_password: Failed to change
password for domain DOM5.
Unable to join domain DOM5.
host201 #
--
Damien.
------ forwarded message ------
From: Damien Veillon <Damien.Veillon@alcatel.fr>
Sujet: RE: Join NT Domain : password problem, or so it seems
To: Samba mailing list <samba@us5.samba.org>
Hi James (and others !)
All the machines are on the same subnet.
HOST201 (samba box) is X.Y.232.28 with netmask 255.255.252.0
PDC407 (NT PDC) is X.Y.233.6 with netmask 255.255.252.0
WINS406 (NT WINS server) is X.Y.233.5 with netmask 255.255.252.0
Here is the result of the "nmblookup -M - -T" command :
--
host201 # nmblookup -M - -T
querying `a__MSBROWSE__a on X.Y.235.255
X.Y.233.5 `a__MSBROWSE__a<01>
X.Y.233.6 `a__MSBROWSE__a<01>
X.Y.233.43 `a__MSBROWSE__a<01>
X.Y.233.42 `a__MSBROWSE__a<01>
querying `a__MSBROWSE__a on X.Y.235.255
X.Y.233.5 `a__MSBROWSE__a<01>
X.Y.233.43 `a__MSBROWSE__a<01>
X.Y.233.6 `a__MSBROWSE__a<01>
X.Y.233.42 `a__MSBROWSE__a<01>
host201 #
--
...sounds ok to me !
On my first try, I didn't set "Encrypt Passwords = Yes". However,
I
already tried that yesterday (this was one of my tries actually). It
didn't help. I think this parameter must be set before restarting the
samba daemons, after a successful join. It rules the authentification
between the client and the Domain controler (PDC or BDC) but is not
used during the joining process... well, that's what I understood !
Roman, James (J.D.) a ?crit :> Are all the machines on the same subnet? Or more specifically, are you on
> the same subnet as PDC407? Try "nmblookup -M - -T" and see if
your PDC or
> WINS server comes back.
>
> One other distant possibility, have you set Encrypt Passwords = Yes?
>
> -----Original Message-----
> From: Damien Veillon [mailto:Damien.Veillon@alcatel.fr]
> Sent: Tuesday, February 20, 2001 12:49 PM
> To: samba@us5.samba.org
> Subject: RE: Join NT Domain : password problem, or so it seems
>
>
>
> James, thanks for your answer... unfortunetely your suggestions don't
> fix my problem !
>
> OK, I checked/tried the followings :
> -> there is no DOM5.HOST201.mac file (actually, the private directory
> only contains the MACHINE.SID file)
> -> I removed the samba machine account, waited more than 15 minutes.
> I then started from scrach (included rm private/MACHINE.SID file)
> with all the netbios names in CAPS ("netbios name =
HOST201",
> "password server = DOM407" and so on) (by the way, yes,
hostname
> HOST201 is unique on the network !)
> -> I then re-added the samba server (HOST201) to the domain as a
> workstation in server manager and tried the "smbpasswd -j DOM5 -r
> PDC407"
> line again (I am root, so I have write access to the samba
> installation directory)
>
> I have exactly the same problem :-(
>
>
>
> Roman, James (J.D.) a ?crit :
> Before you try again. Search to see if there is a (NTDOMAIN NAME).(SAMBA
> SERVER NAME).mac file on your system. If so delete it. Go back to your
> NT
> PDC and remove the samba machines account from server manager. WAIT 15
> MINUTES FOR THE NT SAM DATABASE TO UPDATE!!!!
>
> Now start from scratch. Change your smb.conf, so that netbios name >
HOST201
> (All CAPS) (By the way HOST201 is unique on the network, isn't it?)
> Re-add
> the Samba server (HOST201) to the domain as a workstation in server
> manager.
> Now try the smbpasswd -j DOM5 -r PDC407 line again (Make sure you are
> root,
> and that you have write access to the samba installation directory,
> probably
> the same as where your smbpasswd file is located.)
>
> Let me know if this helps.
>
> -----Original Message-----
> From: Damien Veillon [mailto:Damien.Veillon@alcatel.fr]
> Sent: Tuesday, February 20, 2001 11:14 AM
> To: samba@us5.samba.org
> Subject: Join NT Domain : password problem, or so it seems
>
>
>
> Hi everybody,
>
> I have a problem with the join NT domain procedure.
> I would like to use the "security = domain" authentification
mode.
> Therefore, I followed the instructions found in the DOMAIN_MEMBER.txt
> file, by Jeremy Allison.
>
> Here is my config :
>
> samba box (newly configured) :
> hostname : host201
> netbios name : host201
> OS : Solaris 7
> samba version : 2.0.7
> NT domain :
> domain name : DOM5
> PDC : PDC407
> PDC OS : NT 4 service pack 5
> WINS server : WINS406 which is also NT 4 / SP 5
>
>
> Here is what I get :
>
> step 1 : On the PDC (PDC407), adding the netbios name of the samba box
> (host201) whith the "server manager for domains" tool, as a
"Windows NT
> workstation or server".
> => OK.
>
> step 2 : stopping the samba daemons on the samba box (host201)
> => OK.
>
> step 3 : joining the domain with the command :
>
> smbpasswd -j DOM5 -r PDC407
>
> => not OK ; damn !
>
> I got the following messages :
>
> --
> host201 # smbpasswd -j DOM5 -r PDC407
> cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD
> modify_trust_password: unable to change password for machine HOST201 in
> domain DOM5 to Domain controller PDC407. Error was
NT_STATUS_WRONG_PASSWORD.> 2001/02/20 16:29:18 : change_trust_account_password: Failed to change
> password for domain DOM5.
> Unable to join domain DOM5.
> host201 #
> --
>
> Here is an extract of my smb.conf file when in step 1 :
>
> --
> [global]
> workgroup = DOM5
> netbios name = host201
> security = server
> password server = PDC407
> wins server = WINS406
> --
>
> I checked the samba mailing list archive from january 2000 to february
> 2001 but found nothing regarding this problem.
>
> I believe that the step 1 phase would create a trust account for the
> samba box, with a well-known initial trust account password. This
> allows smbpasswd to join the domain. Maybe there is something wrong in
> that area ? Unfortunately, I don't know the NT mecanisms well enough to
> figure out.
>
> If anyone has any idea... please help !
> Thanks,
> Damien.
Nelson, John P. a ?crit :> host201 # smbpasswd -j DOM5 -r PDC407 > cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD > modify_trust_password: unable to change password for machine HOST201 in > domain DOM5 to Domain controller PDC407. Error was NT_STATUS_WRONG_PASSWORD. > 2001/02/20 16:29:18 : change_trust_account_password: Failed to change > password for domain DOM5. > Unable to join domain DOM5. > host201 # > > ---- > > OK. This usually means that you did NOT just create the machine account for > HOST201. On the domain controller, use server manager to delete the machine > from the domain, then add it back again. Then try smbpasswd again. > > See, when you FIRST create a machine account, it sets the password to a > well-known value. Part of the "join domain" handshake is to change this > password to one that is known only to the client and the DC. > > I suspect that this machine account previously existed, and that you didn't > actually create it from scratch. This doesn't help - Samba needs to have > the password reset to the well-known value so that it can change it. > > The same thing happens if you try to add an NT system to the domain twice > without resetting the machine account. > > > Hope that helps, > > - john nelsonHi John, Thanks for your answer ! Unfortunately, this does not help. It is the first thing I tried actually, as I saw the same explanation you gave in the samba mailing list archives. I tried to reset the password, I also tried to install a completely new samba box from scratch which was unknown by the PDC. I suspect there is another problem, maybe on the PDC. The initial machine account password may be either different from the well-known value or unchangeable. Well... I'm searching in that direction ! I found an info on the TechNet web from microsoft (article ID:Q154501) regarding the machine account passwords on PDC's. There is two options in the registry which are "RefusePasswordChange" and "DisablePasswordChange". These are located in the registry key : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters I will see with my NT guys to check what are the values for these parameters on the PDC and try to join again. I will let you know the results of this try in the mailing list ! Damien.
Tim Potter a ?crit :> Damien Veillon writes: > >> James, thanks for your answer... unfortunetely your suggestions don't >> fix my problem ! > > I noticed you didn't have encrypted passwords turned on in your > smb.conf. Does setting this option make any difference? > > > Tim.Hi Tim, No, it does not make any difference. I understood that the setting "encrypt passwords" is used after a successful join domain, when the samba daemons are restarted. (I tried to set it to yes anyway, but I didn't help). So, I'm still trying to fix my problem ! Thanks for your answer anyway, Damien.
Damien Veillon
2001-Feb-26 14:27 UTC
Fixed [Join NT Domain : password problem, or so it seems]
OK, That's fixed now ;-) The problem was : part of the joining process, "smbpasswd -j" changes the machine account password of the samba box on the PDC. In my case, the PDC refused that change because of two options set in its registry. Those two options are : RefusePasswordChange and DisablePasswordChange and are located in the following registry key : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters After having de-activated those options and restarted the netlogon service, "smbpasswd -j" was ok and I was happy again ! You will find the description of those two options on : http://support.microsoft.com/support/kb/articles/Q154/5/01.asp Thanks to James, Tim and John for their answers, Damien. Damien Veillon a ?crit :> > Hi everybody, > > I have a problem with the join NT domain procedure. > I would like to use the "security = domain" authentification mode. > Therefore, I followed the instructions found in the DOMAIN_MEMBER.txt > file, by Jeremy Allison. > > Here is my config : > > samba box (newly configured) : > hostname : host201 > netbios name : host201 > OS : Solaris 7 > samba version : 2.0.7 > NT domain : > domain name : DOM5 > PDC : PDC407 > PDC OS : NT 4 service pack 5 > WINS server : WINS406 which is also NT 4 / SP 5 > > > Here is what I get : > > step 1 : On the PDC (PDC407), adding the netbios name of the samba box > (host201) whith the "server manager for domains" tool, as a "Windows NT > workstation or server". > => OK. > > step 2 : stopping the samba daemons on the samba box (host201) > => OK. > > step 3 : joining the domain with the command : > > smbpasswd -j DOM5 -r PDC407 > > => not OK ; damn ! > > I got the following messages : > > -- > host201 # smbpasswd -j DOM5 -r PDC407 > cli_net_srv_pwset: NT_STATUS_WRONG_PASSWORD > modify_trust_password: unable to change password for machine HOST201 in domain DOM5 to Domain controller PDC407. Error was NT_STATUS_WRONG_PASSWORD. > 2001/02/20 16:29:18 : change_trust_account_password: Failed to change password for domain DOM5. > Unable to join domain DOM5. > host201 # > -- > > Here is an extract of my smb.conf file when in step 1 : > > -- > [global] > workgroup = DOM5 > netbios name = host201 > security = server > password server = PDC407 > wins server = WINS406 > -- > > I checked the samba mailing list archive from january 2000 to february > 2001 but found nothing regarding this problem. > > I believe that the step 1 phase would create a trust account for the > samba box, with a well-known initial trust account password. This > allows smbpasswd to join the domain. Maybe there is something wrong in > that area ? Unfortunately, I don't know the NT mecanisms well enough to > figure out. > > If anyone has any idea... please help ! > Thanks, > Damien.