samba - Jan 2006 - Must you "net join" for the Samba machine to become a domain member?

Question:
I want to setup a Samba server as a domain member, allowing Windows PC to map
unix server directories, but having the authentication performed by our Windows
Domain Controller(s). I'm basically following this example from the Samba
docs:
http://us1.samba.org/samba/docs/man/Samba3-HOWTO/domain-member.html#id2538809

It appears to me that I must "net join" the domain from the Samba
server for this to work. Is this correct? Are there alternatives? My problem is
that this "net use" command requires some manual intervention
(entering a password for a domain user) that we'd rather avoid. We want to
setup an automated Samba package installation with no manual intervention and no
hard-coded usernames and passwords. If it must "join" the domain why
doesn't Samba try join the domain automatically (if it's not already
joined) using the credentials of the first user who tries to map a drive? Or
does it try to join automatically and something is wrong in my config that's
preventing it ...


Boring Details:
Running Samba 3.0.20b on Solaris. Here's my samba.conf:
[global]
    security = domain
    workgroup = CORP
    password server = jfk1dc1.corp.etradegrp.com
    log level = 10
    log file = /etrade/home/dkarnows/work/samba/logs/%m.log
    netbios name = DEV1NY
    lock directory = /etrade/home/dkarnows/work/samba/locks
    pid directory = /etrade/home/dkarnows/work/samba/locks
    private dir = /etrade/home/dkarnows/work/samba/private

[homes]
        comment = Home Directories
        read only = No
        create mask = 0750
        browseable = No
        guest ok = no
        preserve case = yes

We've added my Samba server ("DEV1NY") to the "CORP"
domain (I can see it listed when I run svrmgr.exe).

So I start smbd & nmbd daemons. I have NOT run a "net join"
command on my Samba server yet. I then on my Win2000 workstation I try to map my
unix home: \\dev1ny.etrade.com\dkarnows but it fails with a pop-up that says:
The mapped network drive could not be created because the following error has
occurred:
Configuration information could not be read from the domain controller, either
because the machine is unavailable, or access has been denied.

On the Samba server side I have this in the <workstation_name>.log file:

[2006/01/18 17:04:20, 2] smbd/sesssetup.c:setup_new_vc_session(704)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
[2006/01/18 17:04:20, 2] smbd/sesssetup.c:setup_new_vc_session(704)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old
resources.
[2006/01/18 17:04:20, 0] auth/auth_domain.c:check_ntdomain_security(284)
  check_ntdomain_security: could not fetch trust account password for domain
'CORP'
[2006/01/18 17:04:20, 2] auth/auth.c:check_ntlm_password(317)
  check_ntlm_password:  Authentication for user [dkarnows] -> [dkarnows]
FAILED with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO

So then I manually join the Samba server (DEV1NY) to the CORP domain:
 net rpc join -w CORP -U dkarnows -s `pwd`/smb.conf -S
jfk1dc1.corp.etradegrp.com
and then, once I've entered my password I've been prompted for, try to
map the drive again and it works fine.

any help appreciated,
David Karnowski

> If it must "join" the domain why doesn't Samba try join the
domain
> automatically (if it's not already joined) using the credentials of
> the first user who tries to map a drive?
Probably because a normal user trying to map a drive isn't a Domain
Admin, and generally only Domain Admins can add computers into domains.

I think you misunderstand the purpose of joining a domain.  You don't
join with specific credentials (e.g. a user mapping a drive), you use a
domain admin's credentials to add Samba into the domain, which means
from that point forward Samba is "allowed" to ask the domain to
check passwords instead of doing so itself.  This is greatly
simplified, but until Samba is a member of the domain you'll usually be
prompted for a password.
> It appears to me that I must "net join" the domain from the Samba
> server for this to work. Is this correct? Are there alternatives?
There's no need.  If I understand the process correctly, once you've
added Samba to the domain (while logged in as a Domain Admin) Samba
creates its own login name and password (a 'machine' account.)  From
this point on Samba logs in with these credentials whenever it needs
access to the domain - anything from getting a list of users to
checking whether the supplied password is correct.

Actually there is one alternative, that of specifying a "password
server", however IMHO joining a domain is a 'cleaner' solution,
even if
it requires a bit more work.
> My problem is that this "net use" command requires some manual
> intervention (entering a password for a domain user) that we'd rather
> avoid.
Once you've successfully joined the domain this will work the way you
expect (assuming Samba/winbind is configured correctly.)

Cheers,
Adam.

>> If it must "join" the domain why doesn't Samba try join
the domain
>> automatically (if it's not already joined) using the credentials of
>> the first user who tries to map a drive?
> Probably because a normal user trying to map a drive isn't a Domain
> Admin, and generally only Domain Admins can add computers into domains.
> I think you misunderstand the purpose of joining a domain.  You don't
> join with specific credentials (e.g. a user mapping a drive), you use a
> domain admin's credentials to add Samba into the domain, which means
> from that point forward Samba is "allowed" to ask the domain to
> check passwords instead of doing so itself.  This is greatly
> simplified, but until Samba is a member of the domain you'll usually be
> prompted for a password.
>> It appears to me that I must "net join" the domain from the
Samba
>> server for this to work. Is this correct? Are there alternatives?
> There's no need.  If I understand the process correctly, once
you've
> added Samba to the domain (while logged in as a Domain Admin) Samba
> creates its own login name and password (a 'machine' account.) 
From
> this point on Samba logs in with these credentials whenever it needs
> access to the domain - anything from getting a list of users to
> checking whether the supplied password is correct.
Thanks for your detailed response Adam.

The thing is that we already manually added the server to the domain
(i.e. created a "computer account" for the Samba machine in the domain
manually using the standard Windows GUI tools). The reason, in my case,
I believe I have to do a "net join" is to populate the
"private/secrets.tdb"
with some ID of the domain I'm interested in. I noticed that when I
start the Samba daemons (without first doing a "net join") and then
try to
map a drive that it automatically finds info on some of our domains
("WINPROD"
& "VTIDEV.CA") but not the one I'm interested in
("CORP"). Below is part of
the log when I try to map a drive without first doing the "net join".
If I
do the "net join" then the "private/secrets.tdb" gets
populated for the
"CORP" domain and then the drive mapping works fine. So I guess my
question
is: How does Samba automatically discover the info for some domains and not
others? Where is it getting this discovery from? And what can I do to make
it discover the domain I'm interested in ("CORP") without having
to do a
"net join"?


[2006/01/19 18:48:35, 5] libsmb/trustdom_cache.c:trustdom_cache_store(127)
  trustdom_store: storing SID S-1-5-21-73586283-436374069-725345543 of domain WI
NPROD
[2006/01/19 18:48:35, 10] lib/gencache.c:gencache_set(127)
  Adding cache entry with key = TDOM/WINPROD; value = S-1-5-21-73586283-43637406
9-725345543 and timeout = Thu Jan 19 18:58:35 2006
   (600 seconds ahead)
[2006/01/19 18:48:35, 5] libsmb/trustdom_cache.c:trustdom_cache_store(127)
  trustdom_store: storing SID S-1-5-21-968365403-1350775402-1971066577 of domain
 VTIDEV.CA
[2006/01/19 18:48:35, 10] lib/gencache.c:gencache_set(127)
  Adding cache entry with key = TDOM/VTIDEV.CA; value = S-1-5-21-968365403-13507
75402-1971066577 and timeout = Thu Jan 19 18:58:35 2006
   (600 seconds ahead)
[2006/01/19 18:48:35, 10] lib/gencache.c:gencache_set(127)
  Adding cache entry with key = TDOMCACHE/TIMESTAMP; value = 1137714515 and time
out = Thu Jan 19 18:58:35 2006
   (600 seconds ahead)
[2006/01/19 18:48:35, 10] lib/gencache.c:gencache_get(285)
  Cache entry with key = TDOM/CORP couldn't be found
[2006/01/19 18:48:35, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
  no entry for trusted domain CORP found.
...
[2006/01/19 18:48:36, 6] auth/auth_sam.c:check_samstrict_security(379)
  check_samstrict_security: CORP is not one of my local names (ROLE_DOMAIN_MEMBE
R)
...
[2006/01/19 18:48:36, 5] passdb/secrets.c:secrets_fetch_trust_account_password(2
88)
  secrets_fetch failed!
[2006/01/19 18:48:36, 0] auth/auth_domain.c:check_ntdomain_security(284)
  check_ntdomain_security: could not fetch trust account password for domain
'CO
RP'
[2006/01/19 18:48:36, 5] auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: winbind authentication for user [dkarnows] FAILED with er
ror NT_STATUS_CANT_ACCESS_DOMAIN_INFO
[2006/01/19 18:48:36, 2] auth/auth.c:check_ntlm_password(317)
  check_ntlm_password:  Authentication for user [dkarnows] -> [dkarnows]
FAILED
with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO

> When you manually add the server to the domain, the problem is that
> Samba doesn't know what the password is.  You can set one with the
> 'net' command I think, however it's much easier to delete the
manually
> added computer and run 'net join', that way Samba does the adding
and
> you're guaranteed that it will know the machine account credentials.
...
> It'd strongly recommend doing a 'net join', as the Samba
configuration
> will be metaphorically held together with sticky tape if you don't, and
> I wouldn't be at all surprised if it failed at a later date for
> seemingly no reason.
Thanks for your help again Adam. The problem on our side is that the
Windows world and Unix world are administered by separate departments.
They're not going to be sharing administrative passwords with each other.
I am still doing that "net join" but using my own domain account
(which
is not an administrator) and it seems to be OK provided someone manually
added the machine account on the Windows side. I was hoping to have it 
totally automated (on the Unix side at least) with no hard-coded passwords,
but I guess it can't work this way. I'll keep my open for that
"failing at
a later date for seemingly no reason" thing :-)

thanks again,
David