samba - Sep 2002 - Samba 2.2.5-1 problems joining domain - W2K PDC

OK Ladies and Gentlemen I could use a hand on this one.  I'm new to the 
list, so please excuse me if I violate a protocol which is as yet unknown 
to me.  However I am having some problems that seem to be beyond my 
abilities to find a solution to.  Any help would be greatly appreciated.

Technical Info:
LINUX Box is a Red Hat 7.1 Kernel version is 2.4.9-34.  Samba version(S) 
that I am working with are 2.2.5-1 (Red Hat Binary RPM downloaded from 
samba.org) and 2.0.10-2 (from Red Hat's site).

Windows 2000 Advanced Server SP2 (SP3 was applied, and then 
removed).  Since the application of SP3, and the subsequent removal I've 
restored from tape returning to PRE SP3 operations completely with no 
change in results.  PDC - Native mode.

Course of events:
I had Samba 2.0.10-2 up and running perfectly fine as a domain member 
(security=domain) and all was well.  I read up on the latest Samba release, 
and decided I wanted to give it a try, utilizing the new winbind appliance.

I researched briefly on the Red Hat site, and determined that they did not 
have anything above 2.0.10-2 available "packaged" for my version of
Red
Hat.  A quick trip to Samba.org produced a ready to roll rpm, and all was 
well.  I've made complete backups of my /etc/samba directory, and the 
Windows 2000 server before any changes were made.

After performing a complete un install of the existing Samba version, and 
installing the new package, I found that I was unable to get the Samba 
re-joined to the domain.  Items checked and verified:
I've verified more then once that the "Pre-windows 2000" box is
checked
when adding the machine account on the PDC.
I've double and tipple checked the account credentials used with the 
smbpasswd join command.
I've verified my syntax is correct
lmhosts and hosts files have proper entries
W2K wins server is up and has correct records
smb.conf has Samba pointed in the correct direction for the WINS server on 
the W2K box.
nmblookup is able to resolve the server, and domain correctly and as expected.

When I run the smbpasswd -j DOM -R SERVER -A user I am prompted for the 
password.  With Version 2.2.5-1 I receive the expected message that the 
domain was joined, and a quick check reveals that the secrets.tdb is 
created and in the proper location. Ownership and group are both root, with 
only root having rw access. I am able to enumerate groups and users from 
the domain using wbinfo -u or -g, and getent does reveal domain users and 
groups as well.  However, no users or groups are able to authenticate into 
the Samba server, despite what I believe to be correct pam.d settings. 
Message examples will appear below from logs.

With Version 2.0.10-2 I run the same command, however I receive an error 
message, and am told that it was unable to join the domain.   The 
MACHINE.SID is created, and matches the record in the W2K registry, however 
the DOM.MACH.mac is not created.


The most common message that I see in the log.smdb is:

smbd/password.c:connect_to_domain_password_server(1328)
   connect_to_domain_password_server: machine SERVER rejected the tconX on 
the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED.

This is the message I receive with 2.0.10 when I try to join the domain:

modify_trust_password: machine SERVER rejected the tconX on the IPC$ share. 
Error was : ERRDOS - ERRnoaccess.
2002/09/09 10:45:34 : change_trust_account_password: Failed to change 
password for domain DOMAIN.
Unable to join domain DOMAIN.

Of course, the machine account is fresh and new on each attempt.  It's 
deleted, and the server rebooted before it is re-added.  I've also tried 
never before used machine account names with the same result.  I've read on 
a couple of different sites that M$ added some new RPC calls via W2K SP2 
which were not supported by pre 2.2 Samba.  However what is it that I am 
running into with the 2.2.x versions?

Any thoughts, suggestions or questions are welcome and 
appreciated.  Obviously I could roll back to a working configuration from 
my tape backups, however I am not one who's mind lends it's self well to
going backwards and "just getting it working."

Thank you all for your time and suggestions.

Aaron

try:
smbpasswd -j DOM -r SERVER -U <W2K administrator>
and press enter and type administrator password.


--- "Aaron D." <lists@aaronsplace.org>
wrote:
> OK Ladies and Gentlemen I could use a hand on this
> one.  I'm new to the 
> list, so please excuse me if I violate a protocol
> which is as yet unknown 
> to me.  However I am having some problems that seem
> to be beyond my 
> abilities to find a solution to.  Any help would be
> greatly appreciated.
> 
> Technical Info:
> LINUX Box is a Red Hat 7.1 Kernel version is
> 2.4.9-34.  Samba version(S) 
> that I am working with are 2.2.5-1 (Red Hat Binary
> RPM downloaded from 
> samba.org) and 2.0.10-2 (from Red Hat's site).
> 
> Windows 2000 Advanced Server SP2 (SP3 was applied,
> and then 
> removed).  Since the application of SP3, and the
> subsequent removal I've 
> restored from tape returning to PRE SP3 operations
> completely with no 
> change in results.  PDC - Native mode.
> 
> Course of events:
> I had Samba 2.0.10-2 up and running perfectly fine
> as a domain member 
> (security=domain) and all was well.  I read up on
> the latest Samba release, 
> and decided I wanted to give it a try, utilizing the
> new winbind appliance.
> 
> I researched briefly on the Red Hat site, and
> determined that they did not 
> have anything above 2.0.10-2 available "packaged"
> for my version of Red 
> Hat.  A quick trip to Samba.org produced a ready to
> roll rpm, and all was 
> well.  I've made complete backups of my /etc/samba
> directory, and the 
> Windows 2000 server before any changes were made.
> 
> After performing a complete un install of the
> existing Samba version, and 
> installing the new package, I found that I was
> unable to get the Samba 
> re-joined to the domain.  Items checked and
> verified:
> I've verified more then once that the "Pre-windows
> 2000" box is checked 
> when adding the machine account on the PDC.
> I've double and tipple checked the account
> credentials used with the 
> smbpasswd join command.
> I've verified my syntax is correct
> lmhosts and hosts files have proper entries
> W2K wins server is up and has correct records
> smb.conf has Samba pointed in the correct direction
> for the WINS server on 
> the W2K box.
> nmblookup is able to resolve the server, and domain
> correctly and as expected.
> 
> When I run the smbpasswd -j DOM -R SERVER -A user I
> am prompted for the 
> password.  With Version 2.2.5-1 I receive the
> expected message that the 
> domain was joined, and a quick check reveals that
> the secrets.tdb is 
> created and in the proper location. Ownership and
> group are both root, with 
> only root having rw access. I am able to enumerate
> groups and users from 
> the domain using wbinfo -u or -g, and getent does
> reveal domain users and 
> groups as well.  However, no users or groups are
> able to authenticate into 
> the Samba server, despite what I believe to be
> correct pam.d settings. 
> Message examples will appear below from logs.
> 
> With Version 2.0.10-2 I run the same command,
> however I receive an error 
> message, and am told that it was unable to join the
> domain.   The 
> MACHINE.SID is created, and matches the record in
> the W2K registry, however 
> the DOM.MACH.mac is not created.
> 
> 
> The most common message that I see in the log.smdb
> is:
> 
>
smbd/password.c:connect_to_domain_password_server(1328)
>    connect_to_domain_password_server: machine SERVER
> rejected the tconX on 
> the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED.
> 
> This is the message I receive with 2.0.10 when I try
> to join the domain:
> 
> modify_trust_password: machine SERVER rejected the
> tconX on the IPC$ share. 
> Error was : ERRDOS - ERRnoaccess.
> 2002/09/09 10:45:34 : change_trust_account_password:
> Failed to change 
> password for domain DOMAIN.
> Unable to join domain DOMAIN.
> 
> Of course, the machine account is fresh and new on
> each attempt.  It's 
> deleted, and the server rebooted before it is
> re-added.  I've also tried 
> never before used machine account names with the
> same result.  I've read on 
> a couple of different sites that M$ added some new
> RPC calls via W2K SP2 
> which were not supported by pre 2.2 Samba.  However
> what is it that I am 
> running into with the 2.2.x versions?
> 
> Any thoughts, suggestions or questions are welcome
> and 
> appreciated.  Obviously I could roll back to a
> working configuration from 
> my tape backups, however I am not one who's mind
> lends it's self well to 
> going backwards and "just getting it working."
> 
> Thank you all for your time and suggestions.
> 
> Aaron
> 
> 
> -- 
> To unsubscribe from this list go to the following
> URL and read the
> instructions: 
http://lists.samba.org/mailman/listinfo/samba


__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

I've used both the w2k\administrator and an account with membership in the 
administrators group, both with the same result.

Additionally, encrypt passwords  is set to Yes in the smb.conf.



At 02:19 PM 9/9/2002, you wrote:
>try:
>smbpasswd -j DOM -r SERVER -U <W2K administrator>
>and press enter and type administrator password.
>
>
>--- "Aaron D." <lists@aaronsplace.org> wrote:
> > OK Ladies and Gentlemen I could use a hand on this
> > one.  I'm new to the
> > list, so please excuse me if I violate a protocol
> > which is as yet unknown
> > to me.  However I am having some problems that seem
> > to be beyond my
> > abilities to find a solution to.  Any help would be
> > greatly appreciated.
> >
> > Technical Info:
> > LINUX Box is a Red Hat 7.1 Kernel version is
> > 2.4.9-34.  Samba version(S)
> > that I am working with are 2.2.5-1 (Red Hat Binary
> > RPM downloaded from
> > samba.org) and 2.0.10-2 (from Red Hat's site).
> >
> > Windows 2000 Advanced Server SP2 (SP3 was applied,
> > and then
> > removed).  Since the application of SP3, and the
> > subsequent removal I've
> > restored from tape returning to PRE SP3 operations
> > completely with no
> > change in results.  PDC - Native mode.
> >
> > Course of events:
> > I had Samba 2.0.10-2 up and running perfectly fine
> > as a domain member
> > (security=domain) and all was well.  I read up on
> > the latest Samba release,
> > and decided I wanted to give it a try, utilizing the
> > new winbind appliance.
> >
> > I researched briefly on the Red Hat site, and
> > determined that they did not
> > have anything above 2.0.10-2 available "packaged"
> > for my version of Red
> > Hat.  A quick trip to Samba.org produced a ready to
> > roll rpm, and all was
> > well.  I've made complete backups of my /etc/samba
> > directory, and the
> > Windows 2000 server before any changes were made.
> >
> > After performing a complete un install of the
> > existing Samba version, and
> > installing the new package, I found that I was
> > unable to get the Samba
> > re-joined to the domain.  Items checked and
> > verified:
> > I've verified more then once that the "Pre-windows
> > 2000" box is checked
> > when adding the machine account on the PDC.
> > I've double and tipple checked the account
> > credentials used with the
> > smbpasswd join command.
> > I've verified my syntax is correct
> > lmhosts and hosts files have proper entries
> > W2K wins server is up and has correct records
> > smb.conf has Samba pointed in the correct direction
> > for the WINS server on
> > the W2K box.
> > nmblookup is able to resolve the server, and domain
> > correctly and as expected.
> >
> > When I run the smbpasswd -j DOM -R SERVER -A user I
> > am prompted for the
> > password.  With Version 2.2.5-1 I receive the
> > expected message that the
> > domain was joined, and a quick check reveals that
> > the secrets.tdb is
> > created and in the proper location. Ownership and
> > group are both root, with
> > only root having rw access. I am able to enumerate
> > groups and users from
> > the domain using wbinfo -u or -g, and getent does
> > reveal domain users and
> > groups as well.  However, no users or groups are
> > able to authenticate into
> > the Samba server, despite what I believe to be
> > correct pam.d settings.
> > Message examples will appear below from logs.
> >
> > With Version 2.0.10-2 I run the same command,
> > however I receive an error
> > message, and am told that it was unable to join the
> > domain.   The
> > MACHINE.SID is created, and matches the record in
> > the W2K registry, however
> > the DOM.MACH.mac is not created.
> >
> >
> > The most common message that I see in the log.smdb
> > is:
> >
> >
>smbd/password.c:connect_to_domain_password_server(1328)
> >    connect_to_domain_password_server: machine SERVER
> > rejected the tconX on
> > the IPC$ share. Error was : NT_STATUS_ACCESS_DENIED.
> >
> > This is the message I receive with 2.0.10 when I try
> > to join the domain:
> >
> > modify_trust_password: machine SERVER rejected the
> > tconX on the IPC$ share.
> > Error was : ERRDOS - ERRnoaccess.
> > 2002/09/09 10:45:34 : change_trust_account_password:
> > Failed to change
> > password for domain DOMAIN.
> > Unable to join domain DOMAIN.
> >
> > Of course, the machine account is fresh and new on
> > each attempt.  It's
> > deleted, and the server rebooted before it is
> > re-added.  I've also tried
> > never before used machine account names with the
> > same result.  I've read on
> > a couple of different sites that M$ added some new
> > RPC calls via W2K SP2
> > which were not supported by pre 2.2 Samba.  However
> > what is it that I am
> > running into with the 2.2.x versions?
> >
> > Any thoughts, suggestions or questions are welcome
> > and
> > appreciated.  Obviously I could roll back to a
> > working configuration from
> > my tape backups, however I am not one who's mind
> > lends it's self well to
> > going backwards and "just getting it working."
> >
> > Thank you all for your time and suggestions.
> >
> > Aaron
> >
> >
> > --
> > To unsubscribe from this list go to the following
> > URL and read the
> > instructions:
>http://lists.samba.org/mailman/listinfo/samba
>
>
>__________________________________________________
>Do You Yahoo!?
>Yahoo! Finance - Get real-time stock quotes
>http://finance.yahoo.com
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  http://lists.samba.org/mailman/listinfo/samba