Harvey Wamboldt
2002-Apr-02 12:04 UTC
[Samba] Joining a Domain With NT4 PDC Instructions Don't Work
Keywords: samba, NT4, PDC, smbpasswd, problem, "join domain"
NT_STATUS_NO_TRUST_SAM_ACCOUNT,
"unable to setup the PDC credentials to machine"
Version: samba-2.2.3a, built on SPARC/Solaris 5.7 with gcc.
The Samba 2.2 instructions/web page titled:
"security = domain in Samba 2.x"
section
"Joining an NT Domain with Samba 2.2"
does not work with my NT4 PDC.
I just wasted two days tracking down the procedure which does work. A
little bit of documentation would have saved me a lot of grief.
Perhaps the above document could be changed? Also the document
DOMAIN_MEMBER.html should be changed to match.
What finally worked for me was this:
(1) delete the samba server from the NT4 PDC's list of servers,
(2) reboot the NT4 PDC,
(3) add the samba server back to the NT4 PDC using the server manager,
(4) run: smbpasswd -j <DOM> -r <PDC>
Note: in step 4 above *do not* use -U to assign a username or
password.
This procedure, with emphasis on step (4) should definitely be listed
as a procedure to try when the problem is failure to authenticate
using an NT4 PDC.
I eventually figured this out from smbpasswd(8). Perhaps this is a
bug since one would think that running:
smbpasswd -j <DOM> -r <PDC> -UAdministrator%password
would accomplish the same thing, but in my case at least it doesn't.
Rgds,
-H-
--
Harvey M Wamboldt ^ E-Mail: harvey@iotek.ns.ca
MDA Inc 1000 Windmill Rd. Suite 60 ^ Fax: (902)468-2278
Dartmouth NS, B3B 1L7, Canada ^ Phone: (902)481-3531
Andrew Bartlett
2002-Apr-02 13:54 UTC
[Samba] Joining a Domain With NT4 PDC Instructions Don't Work
Harvey Wamboldt wrote:> > Keywords: samba, NT4, PDC, smbpasswd, problem, "join domain" > NT_STATUS_NO_TRUST_SAM_ACCOUNT, > "unable to setup the PDC credentials to machine" > > Version: samba-2.2.3a, built on SPARC/Solaris 5.7 with gcc.> I eventually figured this out from smbpasswd(8). Perhaps this is a > bug since one would think that running: > > smbpasswd -j <DOM> -r <PDC> -UAdministrator%password > > would accomplish the same thing, but in my case at least it doesn't.This does work, its just that there was a big/little endien bug in Samba 2.2 at the time of the release. The other method is inheriently insecure, as the password is set to a known value until the machine changes it during the join. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net
Erwin Fritz
2002-Apr-02 15:05 UTC
[Samba] Joining a Domain With NT4 PDC Instructions Don't Work
I was able to get this to work without step 2 (the reboot). You're right, though: specifying the administrator user ID doesn't work. Harvey Wamboldt wrote:> > Keywords: samba, NT4, PDC, smbpasswd, problem, "join domain" > NT_STATUS_NO_TRUST_SAM_ACCOUNT, > "unable to setup the PDC credentials to machine" > > Version: samba-2.2.3a, built on SPARC/Solaris 5.7 with gcc. > > The Samba 2.2 instructions/web page titled: > > "security = domain in Samba 2.x" > > section > > "Joining an NT Domain with Samba 2.2" > > does not work with my NT4 PDC. > > I just wasted two days tracking down the procedure which does work. A > little bit of documentation would have saved me a lot of grief. > Perhaps the above document could be changed? Also the document > DOMAIN_MEMBER.html should be changed to match. > > What finally worked for me was this: > > (1) delete the samba server from the NT4 PDC's list of servers, > > (2) reboot the NT4 PDC, > > (3) add the samba server back to the NT4 PDC using the server manager, > > (4) run: smbpasswd -j <DOM> -r <PDC> > > Note: in step 4 above *do not* use -U to assign a username or > password. > > This procedure, with emphasis on step (4) should definitely be listed > as a procedure to try when the problem is failure to authenticate > using an NT4 PDC. > > I eventually figured this out from smbpasswd(8). Perhaps this is a > bug since one would think that running: > > smbpasswd -j <DOM> -r <PDC> -UAdministrator%password > > would accomplish the same thing, but in my case at least it doesn't. > > Rgds, > > -H- > > -- > Harvey M Wamboldt ^ E-Mail: harvey@iotek.ns.ca > MDA Inc 1000 Windmill Rd. Suite 60 ^ Fax: (902)468-2278 > Dartmouth NS, B3B 1L7, Canada ^ Phone: (902)481-3531 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba-- Erwin Fritz Gilbert Laustsen Jung Associates Ltd.
Herb Lewis
2002-Apr-02 18:04 UTC
[Samba] Joining a Domain With NT4 PDC Instructions Don't Work
This is a bug that I have mentioned several times on this list. smbpasswd on big-endian machines was broken. It is fixed in the current CVS code. Harvey Wamboldt wrote:> > Keywords: samba, NT4, PDC, smbpasswd, problem, "join domain" > NT_STATUS_NO_TRUST_SAM_ACCOUNT, > "unable to setup the PDC credentials to machine" > > Version: samba-2.2.3a, built on SPARC/Solaris 5.7 with gcc. > > The Samba 2.2 instructions/web page titled: > > "security = domain in Samba 2.x" > > section > > "Joining an NT Domain with Samba 2.2" > > does not work with my NT4 PDC. > > I just wasted two days tracking down the procedure which does work. A > little bit of documentation would have saved me a lot of grief. > Perhaps the above document could be changed? Also the document > DOMAIN_MEMBER.html should be changed to match. > > What finally worked for me was this: > > (1) delete the samba server from the NT4 PDC's list of servers, > > (2) reboot the NT4 PDC, > > (3) add the samba server back to the NT4 PDC using the server manager, > > (4) run: smbpasswd -j <DOM> -r <PDC> > > Note: in step 4 above *do not* use -U to assign a username or > password. > > This procedure, with emphasis on step (4) should definitely be listed > as a procedure to try when the problem is failure to authenticate > using an NT4 PDC. > > I eventually figured this out from smbpasswd(8). Perhaps this is a > bug since one would think that running: > > smbpasswd -j <DOM> -r <PDC> -UAdministrator%password > > would accomplish the same thing, but in my case at least it doesn't. > > Rgds, > > -H- > > -- > Harvey M Wamboldt ^ E-Mail: harvey@iotek.ns.ca > MDA Inc 1000 Windmill Rd. Suite 60 ^ Fax: (902)468-2278 > Dartmouth NS, B3B 1L7, Canada ^ Phone: (902)481-3531 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba-- =====================================================================Herb Lewis Silicon Graphics Networking Engineer 1600 Amphitheatre Pkwy MS-510 Strategic Software Organization Mountain View, CA 94043-1351 herb@sgi.com Tel: 650-933-2177 http://www.sgi.com Fax: 650-932-2177 ======================================================================