Lightfoot.Michael
2002-Jan-16 20:16 UTC
Re-adding samba to a domain (was RE: Fear, Uncertainty, Doubt and Citrix on Win2k)
> At 11:17 AM 1/16/02 +1100, you wrote: > <snip> > > > To join the domain use 'smbpasswd -j DOMAIN -U > Administrator'. This > > > will create a machine account (with the PDC's admin password) > > > and set a > > > password on that account. This allows Samba to pass both the > > > challenge > > > and response to the DC and to get back sane error codes. > > > > >I think I must be a little thick as I can't get this to > work. I tried: > > > >smbpasswd -j COMCARE -u Administrator > > > >It came back with a password prompt which I asked the M$ man > to enter (for > >the PDC admin account) and it failed authentication. The > server exists at > >the PDC and everything (according to the M$ bloke) is OK there. > > Right, I know I'm butting in here, but what I have seen on > the list is that > that joins the domain, but some people have had to create the > account manually. > > So, on the PDC, you need to make an account, and check the > box that allows > non-w2k machines to use it. Then that command might work. >OK, here's the resolution! In recent months the PDC has been upgraded from NT4 to Win2k. This change forced us to upgrade all our Samba servers from various ancient 1.9.18 patchlevels to 2.2.2. When I tried to change from security = server to security = domain as suggested by Andrew B, I got the problem outlined above. The solution is that you have to delete each Samba server from the domain and then re-add it. After this the instructions per the Samba Project documentation - for us Aussies: http://samba.mirror.aarnet.edu.au/samba/docs/Samba-HOWTO-Collection.html#DOM AIN-SECURITY work perrrrfectly. We are now running in test with no authentication errors for Win2k TSE users and my developers and testers all have silly grins! Thanks to all who gave assistance. In another few days I'll be able to call myself an MCSE. >:-) BTW, I received this URL in last night's email. I hope it makes someone's day: http://www.microsoft.com&item=q209354@www.hardware.no/nyheter/feb01/Q209354% 20-%20HOWTO.htm (watch the wrap.) Michael Lightfoot SysIX Unix Systems Consulting 02 6258 8185 michael.lightfoot@canb.auug.org.au
Andrew Bartlett
2002-Jan-17 04:49 UTC
Re-adding samba to a domain (was RE: Fear, Uncertainty, Doubt andCitrix on Win2k)
"Lightfoot.Michael" wrote:> > > > At 11:17 AM 1/16/02 +1100, you wrote: > > <snip> > > > > To join the domain use 'smbpasswd -j DOMAIN -U > > Administrator'. This > > > > will create a machine account (with the PDC's admin password) > > > > and set a > > > > password on that account. This allows Samba to pass both the > > > > challenge > > > > and response to the DC and to get back sane error codes. > > > > > > >I think I must be a little thick as I can't get this to > > work. I tried: > > > > > >smbpasswd -j COMCARE -u Administrator > > > > > >It came back with a password prompt which I asked the M$ man > > to enter (for > > >the PDC admin account) and it failed authentication. The > > server exists at > > >the PDC and everything (according to the M$ bloke) is OK there. > > > > Right, I know I'm butting in here, but what I have seen on > > the list is that > > that joins the domain, but some people have had to create the > > account manually. > > > > So, on the PDC, you need to make an account, and check the > > box that allows > > non-w2k machines to use it. Then that command might work. > > > OK, here's the resolution! > > In recent months the PDC has been upgraded from NT4 to Win2k. This change > forced us to upgrade all our Samba servers from various ancient 1.9.18 > patchlevels to 2.2.2. > > When I tried to change from security = server to security = domain as > suggested by Andrew B, I got the problem outlined above. > > The solution is that you have to delete each Samba server from the domain > and then re-add it. After this the instructions per the Samba Project > documentation - for us Aussies: > > http://samba.mirror.aarnet.edu.au/samba/docs/Samba-HOWTO-Collection.html#DOM > AIN-SECURITY > > work perrrrfectly.I'll need to update some doco some day. The method in the HOWTO is the 'old' method, which works when the machine has be 'added' in user manager. This 'add' also sets the password to 'machinename' - and the 'smbpasswd -j' simply changes it. Quite simple actually. The problem is the race between the add and join, which is avoided with the '-U' method. (This adds and account with admin privs, and uses that to set the password for the first time).> We are now running in test with no authentication errors for Win2k TSE users > and my developers and testers all have silly grins!Nice to hear its all works!> Thanks to all who gave assistance. In another few days I'll be able to call > myself an MCSE. >:-):-) Would you really want to stoop that low? Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net