Zaleski, Matthew (M.E.)
2001-Oct-29 18:40 UTC
Trouble registering Samba Server in an NT domain
I've looked thru the Howto's and a bunch of the list archives but can't find an answer to my exact problem: I'm trying to switch my Samba server (version 2.2.1a on Mandrake 8.1) from a share level security to domain authentication. (My company has had NT domain servers for about 2 years and I think they have all the bugs worked out.) I'm assuming (maybe incorrectly) that as long as I have a valid (unoccupied) NetBIOS machine name acceptable for a NT workstation, then Samba can step into its shoes to request domain level user authentication. When I type as root (names are changed to protect the innocent): smbpasswd -j MYDOMAIN I have "password server = *" and that seems to negate the need to specify my password server on the command above. Is that correct? I get a flurry of debug messages from my high log level setting. From them I can see Samba contact the WINS server to locate the PDC and is successful. It then connects to the PDC, but eventually fails with a NT_STATUS_NO_TRUST_SAM_ACCOUNT error. What does this mean? Here is the revelant snippet from my debug session: <SNIP> Got a positive name query response from 99.99.99.99 ( 99.99.88.88 ) Connecting to 99.99.88.88 at port 139 LSA Open Policy LSA Query Info Policy LSA_QUERYINFOPOLICY (level 5): domain:MYDOMAIN domain sid:S-1-5-21-1078229911-1189946983-1225219381 LSA Close cli_net_req_chal: LSA Request Challenge from ECCNA101 to AV2443: 658B07A562883C61 cred_session_key cred_create cli_net_auth2: srv:\\ECCNA101 acct:AV2443$ sc:2 mc: AV2443 chal FB1E53C79AF322C0 neg: 1ff cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT cli_nt_setup_creds: auth2 challenge failed modify_trust_password: unable to setup the PDC credentials to machine ECCNA101. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. 2001/10/29 17:28:37 : change_trust_account_password: Failed to change password for domain MYDOMAIN. Unable to join domain MYDOMAIN. </SNIP> Matthew Zaleski
Have you added the machine to the domain using server manager? If you have, have you tried removing it and adding it again? Zaleski, Matthew (M.E.) wrote:>I've looked thru the Howto's and a bunch of the list archives but can't find an answer to my exact problem: > >I'm trying to switch my Samba server (version 2.2.1a on Mandrake 8.1) from a share level security to domain authentication. (My company has had NT domain servers for about 2 years and I think they have all the bugs worked out.) I'm assuming (maybe incorrectly) that as long as I have a valid (unoccupied) NetBIOS machine name acceptable for a NT workstation, then Samba can step into its shoes to request domain level user authentication. > >When I type as root (names are changed to protect the innocent): >smbpasswd -j MYDOMAIN > >I have "password server = *" and that seems to negate the need to specify my password server on the command above. Is that correct? > >I get a flurry of debug messages from my high log level setting. From them I can see Samba contact the WINS server to locate the PDC and is successful. It then connects to the PDC, but eventually fails with a NT_STATUS_NO_TRUST_SAM_ACCOUNT error. What does this mean? > >Here is the revelant snippet from my debug session: ><SNIP> >Got a positive name query response from 99.99.99.99 ( 99.99.88.88 ) >Connecting to 99.99.88.88 at port 139 >LSA Open Policy >LSA Query Info Policy >LSA_QUERYINFOPOLICY (level 5): domain:MYDOMAIN domain sid:S-1-5-21-1078229911-1189946983-1225219381 >LSA Close >cli_net_req_chal: LSA Request Challenge from ECCNA101 to AV2443: 658B07A562883C61 >cred_session_key >cred_create >cli_net_auth2: srv:\\ECCNA101 acct:AV2443$ sc:2 mc: AV2443 chal FB1E53C79AF322C0 neg: 1ff >cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT >cli_nt_setup_creds: auth2 challenge failed >modify_trust_password: unable to setup the PDC credentials to machine ECCNA101. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. >2001/10/29 17:28:37 : change_trust_account_password: Failed to change password for domain MYDOMAIN. >Unable to join domain MYDOMAIN. ></SNIP> > > >Matthew Zaleski >
Zaleski, Matthew (M.E.)
2001-Oct-30 13:29 UTC
Trouble registering Samba Server in an NT domain
I have no control over the domain. That's somewhere in the IT department and I don't want to chase it down if I don't have to. I'm still unclear what is being done on the Windows server side. If I have a company-issued machine name and we already have NT workstations in the area, doesn't that meet the requirements? Matthew Zaleski> -----Original Message----- > From: Joseph [mailto:jolt@nicholasofmyra.org] > Sent: Tuesday, October 30, 2001 10:21 AM > To: Zaleski, Matthew (M.E.) > Cc: samba@lists.samba.org > Subject: Re: Trouble registering Samba Server in an NT domain > > > Have you added the machine to the domain using server > manager? If you > have, have you tried removing it and adding it again? > > Zaleski, Matthew (M.E.) wrote: > > >I've looked thru the Howto's and a bunch of the list > archives but can't find an answer to my exact problem: > > > >I'm trying to switch my Samba server (version 2.2.1a on > Mandrake 8.1) from a share level security to domain > authentication. (My company has had NT domain servers for > about 2 years and I think they have all the bugs worked out.) > I'm assuming (maybe incorrectly) that as long as I have a > valid (unoccupied) NetBIOS machine name acceptable for a NT > workstation, then Samba can step into its shoes to request > domain level user authentication. > > > >When I type as root (names are changed to protect the innocent): > >smbpasswd -j MYDOMAIN > > > >I have "password server = *" and that seems to negate the > need to specify my password server on the command above. Is > that correct? > > > >I get a flurry of debug messages from my high log level > setting. From them I can see Samba contact the WINS server > to locate the PDC and is successful. It then connects to the > PDC, but eventually fails with a > NT_STATUS_NO_TRUST_SAM_ACCOUNT error. What does this mean? > > > >Here is the revelant snippet from my debug session: > ><SNIP> > >Got a positive name query response from 99.99.99.99 ( 99.99.88.88 ) > >Connecting to 99.99.88.88 at port 139 > >LSA Open Policy > >LSA Query Info Policy > >LSA_QUERYINFOPOLICY (level 5): domain:MYDOMAIN domain > sid:S-1-5-21-1078229911-1189946983-1225219381 > >LSA Close > >cli_net_req_chal: LSA Request Challenge from ECCNA101 to > AV2443: 658B07A562883C61 > >cred_session_key > >cred_create > >cli_net_auth2: srv:\\ECCNA101 acct:AV2443$ sc:2 mc: AV2443 > chal FB1E53C79AF322C0 neg: 1ff > >cli_net_auth2: Error NT_STATUS_NO_TRUST_SAM_ACCOUNT > >cli_nt_setup_creds: auth2 challenge failed > >modify_trust_password: unable to setup the PDC credentials > to machine ECCNA101. Error was : NT_STATUS_NO_TRUST_SAM_ACCOUNT. > >2001/10/29 17:28:37 : change_trust_account_password: Failed > to change password for domain MYDOMAIN. > >Unable to join domain MYDOMAIN. > ></SNIP> > > > > > >Matthew Zaleski > > > >