Hi all, I've seen a good number of posts over the last while relating to problems with Win2K clients being unable to authenticate users to a Samba 2.2.x PDC (user level security with encrypted passwords) because "the system's computer account in its primary domain is missing or the password on that account is incorrect". So far I have not run across any solutions. It seems that in all cases the computer accounts have been created *correctly* on the unix machine using first useradd then smbpasswd as described in the Samba documentation. Adding the computers to the domain (system properties -> network ID -> properties) seems to work: the user is prompted for a username and password with privileges sufficient to change the computer name in the domain, then is informed that a reboot is required for the changes to take effect. After reboot, however, the above error message is displayed when an attempt is made to log a user (any user, including root) on to the domain. *No* log info is generated by the Samba server. Since I have seen no responses whatsoever to any of the posts about this issue, I have two specific questions which might help me to identify the problem myself: 1. What is meant by the computer's *primary* domain? 2. What *exactly* transpires when (a) one changes the name of a Win2K client in the domain (ie. adds the *machine* to the domain) and (b) when a user attempts to logon to a domain from a Win2K machine that has a valid machine account in the domain? Thanks in advance for your help! Mike Traynor.
On Fri, 2002-03-29 at 12:19, mdt-tech-mailbox@shaw.ca wrote:> Hi all, > > I've seen a good number of posts over the last while relating to > problems with Win2K clients being unable to authenticate users to a > Samba 2.2.x PDC (user level security with encrypted passwords) > because "the system's computer account in its primary domain is missing > or the password on that account is incorrect". So far I have not run > across any solutions. > > It seems that in all cases the computer accounts have been created > *correctly* on the unix machine using first useradd then smbpasswd as > described in the Samba documentation. > > Adding the computers to the domain (system properties -> network ID -> > properties) seems to work: the user is prompted for a username and > password with privileges sufficient to change the computer name in the > domain, then is informed that a reboot is required for the changes to > take effect. After reboot, however, the above error message is > displayed when an attempt is made to log a user (any user, including > root) on to the domain. *No* log info is generated by the Samba server. > > Since I have seen no responses whatsoever to any of the posts about > this issue, I have two specific questions which might help me to > identify the problem myself: > > 1. What is meant by the computer's *primary* domain?the primary domain controller is that server that is the authoritative source for windows user information. Microsoft has the concept of backup domain controllers that serve to balance load and allow authentication when the PDC is unavailable. I think that samba can only act as a PDC right now.> 2. What *exactly* transpires when (a) one changes the name of a Win2K > client in the domain (ie. adds the *machine* to the domain) and (b) > when a user attempts to logon to a domain from a Win2K machine that has > a valid machine account in the domain?a) samba will run whatever is in "add user script" in my case /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u and should create the machine account in /etc/smbpasswd take a look there for your machine (ending with a $) (also be sure it is in /etc/passwd and /etc/shadow if you use shadow passwords) b) samba checks that the user is valid etc. take a look at the samba howto collection for more info on this you also need that signorseal registry patch to log in against a samba PDC. brad
----- Original Message ----- From: "Bradley W. Langhorst" <brad@langhorst.com> Date: Friday, March 29, 2002 10:08 am Subject: Re: [Samba] Computer accounts & Win2K> On Fri, 2002-03-29 at 12:19, mdt-tech-mailbox@shaw.ca wrote:>> 2. What *exactly* transpires when (a) one changes the name of >> a Win2K client in the domain (ie. adds the *machine* to the >> domain) and (b)when a user attempts to logon to a domain from >> a Win2K machine that has a valid machine account in the domain?> a) samba will run whatever is in "add user script" in my case > /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u > and should create the machine account in /etc/smbpasswd > take a look there for your machine (ending with a $) > (also be sure it is in /etc/passwd and /etc/shadow if you use > shadow passwords)> b) samba checks that the user is valid etc. > take a look at the samba howto collection for more info on this> you also need that signorseal registry patch to log in against > a samba PDC.Brad, Thanks for the reply. I had not thought about the shadow passwords issue. I can't remember whether I enabled shadow passwords when I installed RedHat 7.2, but will look into it this evening when I get home from work. The "RequireSignOrSeal" registry entry is set to 0, so that is not the problem. Mike.
There are appropriate entries for the machine account in both the /etc/passwd file and the /etc/shadow file. I don't know if the Samba 2.2.1 RedHat RPM that comes with the distribution was compiled with support for shadow passwords enabled, but assume it must have been since shadow passwords are enabled by default on current RedHat systems. I suppose I could check the SRPM file ... ----- Original Message ----- From: "Bradley W. Langhorst" <brad@langhorst.com> Date: Friday, March 29, 2002 10:08 am Subject: Re: [Samba] Computer accounts & Win2K> a) samba will run whatever is in "add user script" in my case > /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u > and should create the machine account in /etc/smbpasswd > take a look there for your machine (ending with a $) > (also be sure it is in /etc/passwd and /etc/shadow if you use > shadow passwords)