Erik Anderson
2004-Jul-11 09:49 UTC
[Samba] Samba 3.0.2 PDC Setup: cannot join W2k machine - SAMR_SET_USERINFO fails
Okay, this is near the end of a marathon day trying to get this linux machine up
and running as a PDC. At this point I am unable to get a Windows 2K machine to
join the domain, it responds with "Logon failure: unknown user name or bad
password". Samba log shows the following:
rpc_server/srv_samr_nt.c: _samr_set_userinfo(2937)
_samr_set_userinfo: 2937
rpc_server/src_lsa_hnd.c:find_policy_by_hnd_internal(162)
Found policy hnd[0] [000] 00 00 00 00 08 00 00 00 00 00 00 00 32 FA F0 40
[010] BF 22 00 00
rpc_server/srv_samr_nt.c:access_check_samr_function(106)
_samr_set_userinfo: access check ((granted: 0x000000b0; required:0x00000024)
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
_samr_set_userinfo: ACCESS DENIED (granted: 0x000000b0; required: 0x00000024)
rpc_parse/parse_prs.c:prs_debug(82)
000000 samr_io_r_set_userinfo
rpc_parse/parse_prs.c:prs_ntstatus(665)
0000 status: NT_STATUS_ACCESS_DENIED
The log appears to show that the machine account was established properly, but
failed when the server was attempting to set a password? Google pulls up only
one hit: http://lists.samba.org/archive/samba/2003-December/076951.html
This is a Debian box ("testing" distribution), samba package is
3.0.2a-1 (modified to enable LDAP).
The user I am attempting to add the machine with is named Administrator, which
is a normal user (uid=3011, rid=7000) that has a primary group of "Domain
Admins" (gid=3011, sid=<SID>-512) and a secondary group of
"Administrators" (gid=3002, sid="S-1-5-32-544")
FYI, As a strange side effect of my installation, I had to modify the
samba.schema that came with the package, as the compiled output was demanding to
use the "historical schema". Don't know if it has anything to do
with this issue, but I'm throwing it out there for additional information.
Erik Anderson
2004-Jul-11 22:47 UTC
[Samba] Samba 3.0.2 PDC Setup: cannot join W2k machine -SAMR_SET_USERINFO fails (fixed!)
Okay, did a lot of source code tracing today, and found my error.
The following attributes are required of any account used to join a machine
against a samba PDC:
* Primary group must correspond to "Domain Administrators"
(S-1-5-21-xxx-yyy-zzz-512)
* Secondary group must correspond to "Administrators" (S-1-5-32-544)
* The username must be specified in smb.conf under [global] "admin
users".
----- Original Message -----
From: "Erik Anderson" <erikba@teamworkgroup.com>
To: <samba@lists.samba.org>
Sent: Sunday, July 11, 2004 2:49 AM
Subject: [Samba] Samba 3.0.2 PDC Setup: cannot join W2k
machine -SAMR_SET_USERINFO fails
Okay, this is near the end of a marathon day trying to get this linux
machine up and running as a PDC. At this point I am unable to get a Windows
2K machine to join the domain, it responds with "Logon failure: unknown
user
name or bad password". Samba log shows the following:
rpc_server/srv_samr_nt.c: _samr_set_userinfo(2937)
_samr_set_userinfo: 2937
rpc_server/src_lsa_hnd.c:find_policy_by_hnd_internal(162)
Found policy hnd[0] [000] 00 00 00 00 08 00 00 00 00 00 00 00 32 FA F0 40
[010] BF 22 00 00
rpc_server/srv_samr_nt.c:access_check_samr_function(106)
_samr_set_userinfo: access check ((granted: 0x000000b0;
required:0x00000024)
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
_samr_set_userinfo: ACCESS DENIED (granted: 0x000000b0; required:
0x00000024)
rpc_parse/parse_prs.c:prs_debug(82)
000000 samr_io_r_set_userinfo
rpc_parse/parse_prs.c:prs_ntstatus(665)
0000 status: NT_STATUS_ACCESS_DENIED
The log appears to show that the machine account was established properly,
but failed when the server was attempting to set a password? Google pulls
up only one hit:
http://lists.samba.org/archive/samba/2003-December/076951.html
This is a Debian box ("testing" distribution), samba package is
3.0.2a-1
(modified to enable LDAP).
The user I am attempting to add the machine with is named Administrator,
which is a normal user (uid=3011, rid=7000) that has a primary group of
"Domain Admins" (gid=3011, sid=<SID>-512) and a secondary group
of
"Administrators" (gid=3002, sid="S-1-5-32-544")
FYI, As a strange side effect of my installation, I had to modify the
samba.schema that came with the package, as the compiled output was
demanding to use the "historical schema". Don't know if it has
anything to
do with this issue, but I'm throwing it out there for additional
information.
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba