I'm not able to add Win clients to my domain anymore. I receive an
error on the PC (2000 or XP):
"The following error occurred attempting to join the domain
"[DOMAIN]":
Logon failure: unknown user name or password."
But I am able to log on to the server when accessing shares and
printers. This error message only appears when joining the domain.
And on the Mac OS X 10.4.7 (Samba 3.0.10) server I get the following
in my log.smbd:
[2006/08/22 11:32:03, 2] /SourceCache/samba/samba-92.20/samba/source/
auth/auth.c:check_ntlm_password(360)
check_ntlm_password: authentication for user [tmpadmin] ->
[tmpadmin] -> [tmpadmin] succeeded
[2006/08/22 11:32:03, 2] /SourceCache/samba/samba-92.20/samba/source/
lib/module.c:do_smb_load_module(63)
Module '/usr/lib/samba/vfs/darwin_acls.so' loaded
[2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/source/
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2531)
Returning domain sid for domain [DOMAIN] ->
S-1-5-21-457614760-3765950544-3595693477
[2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/source/
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
[2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/source/
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2531)
Returning domain sid for domain [DOMAIN] ->
S-1-5-21-457614760-3765950544-3595693477
[2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/source/
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_user: ACCESS DENIED (requested: 0x000000b0)
[2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/source/
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_user: ACCESS DENIED (requested: 0x00000090)
[2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/source/
smbd/server.c:exit_server(595)
Closing connections
where DOMAIN is my domain name and tmpadmin is a user account with
all privileges.
I've been googling (oops, I'm not sure I can say that :-)) and
reading all the documentation I could find, but without any luck.
What's strange is that when the server was installed I was able to
add a lot of clients. Then I've probably done something wrong and now
I'm getting into trouble. So, what have I been doing?
Editing /etc/smb.conf
* Adding the line: logon home = \\[FILESERVER]\%U
* Removing the line: #logon path = \\%N\profiles\%u
Adding a group mapping with the command net
net groupmap add ntgroup="Domain Admins"
unixgroup="admin"
type=domain
net groupmap cleanup
but also reverted back to default group mappings.
Reconfigured the Windows service by removing /var/samba and /etc/
smb.conf. Didn't help.
Editing /etc/openldap/slapd.conf:
* Adding a schema from ldapuserdata ( a Squirrelmail plug-in) but
has removed this schema now.
Are there other services/configuration files I have to look at?
Do you have ANY tips? This is starting to get urgent for me now!
I've now tried a couple of other things without success:
I run this command to try to add the server which is the PDC to the
domain:
net rpc join -S [SERVER] -Uroot%[password]
Today that command gave me the following output:
[2006/08/23 09:23:07, 0] /SourceCache/samba/samba-92.9/samba/source/
utils/net_rpc_join.c:net_rpc_join_newstyle(279)
error setting trust account password: NT_STATUS_ACCESS_DENIED
Unable to join domain [DOMAIN].
Yesterday I got a bit more interesting error message including
decode_pw_buffer: incorrect password length (945999123).
After searching the web I found two references regarding mac is x
server and samba about this:
At AFP548:
http://www.afp548.com/forum/viewtopic.php?showtopic=11873
There were a couple of suggestions:
1. Change the server from PDC to Single Server and back again. In a
way I've tried that by removing the /etc/smb.conf and /var/samba.
2. Set the password of the directory administrator a couple of times
and then it should work. Tried that but it didn't work for me.
At this mailing list in August 2005:
3. A tip from Michael Bartosh: /usr/bin/opendirectorypdbconfig -c
set_authenticator -r admin-name -p xxxxx -n /LDAPv3/127.0.0.1
Tried it, but didn't work.
At the moment I believe it may be the file
/var/db/samba/secrets.tdb
since I didn't delete it when I reconfigured Samba. I was also
surprised that the SID of the Samba domain didn't change when I
reconfigured Samba.
My question is then: Is it safe to rename this file and and then
start Samba again? Or will the domain loose it SID and I have to add
all the Win clients again? But if I run the command:
sudo net getlocalsid [DOMAIN]
before the renaming and then run the command:
net setlocalsid SID
after. Will this procedure do it?
Regards,
Lars-Gunnar Persson
Lars-Gunnar Persson
2006-Aug-23 13:13 UTC
[Samba] Problems adding Win clients to domain [SOLVED]
I found the reason for this strange Samba behaviour: The line "admin users = " in the smb.conf file was missing. I don't know how but that was the reason. A bit embarrassing but at least I'm breathing now. Regards, Lars-Gunnar Persson On 23. aug. 2006, at 12.57, Lars-Gunnar Persson wrote:> I'm not able to add Win clients to my domain anymore. I receive an > error on the PC (2000 or XP): > > "The following error occurred attempting to join the domain > "[DOMAIN]": > Logon failure: unknown user name or password." > > But I am able to log on to the server when accessing shares and > printers. This error message only appears when joining the domain. > > And on the Mac OS X 10.4.7 (Samba 3.0.10) server I get the > following in my log.smbd: > > [2006/08/22 11:32:03, 2] /SourceCache/samba/samba-92.20/samba/ > source/auth/auth.c:check_ntlm_password(360) > check_ntlm_password: authentication for user [tmpadmin] -> > [tmpadmin] -> [tmpadmin] succeeded > [2006/08/22 11:32:03, 2] /SourceCache/samba/samba-92.20/samba/ > source/lib/module.c:do_smb_load_module(63) > Module '/usr/lib/samba/vfs/darwin_acls.so' loaded > [2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/ > source/rpc_server/srv_samr_nt.c:_samr_lookup_domain(2531) > Returning domain sid for domain [DOMAIN] -> > S-1-5-21-457614760-3765950544-3595693477 > [2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/ > source/rpc_server/srv_samr_nt.c:access_check_samr_object(93) > _samr_open_domain: ACCESS DENIED (requested: 0x00000211) > [2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/ > source/rpc_server/srv_samr_nt.c:_samr_lookup_domain(2531) > Returning domain sid for domain [DOMAIN] -> > S-1-5-21-457614760-3765950544-3595693477 > [2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/ > source/rpc_server/srv_samr_nt.c:access_check_samr_object(93) > _samr_open_user: ACCESS DENIED (requested: 0x000000b0) > [2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/ > source/rpc_server/srv_samr_nt.c:access_check_samr_object(93) > _samr_open_user: ACCESS DENIED (requested: 0x00000090) > [2006/08/22 11:32:04, 2] /SourceCache/samba/samba-92.20/samba/ > source/smbd/server.c:exit_server(595) > Closing connections > > where DOMAIN is my domain name and tmpadmin is a user account with > all privileges. > > I've been googling (oops, I'm not sure I can say that :-)) and > reading all the documentation I could find, but without any luck. > > What's strange is that when the server was installed I was able to > add a lot of clients. Then I've probably done something wrong and > now I'm getting into trouble. So, what have I been doing? > > Editing /etc/smb.conf > * Adding the line: logon home = \\[FILESERVER]\%U > * Removing the line: #logon path = \\%N\profiles\%u > > Adding a group mapping with the command net > net groupmap add ntgroup="Domain Admins" unixgroup="admin" > type=domain > net groupmap cleanup > but also reverted back to default group mappings. > > Reconfigured the Windows service by removing /var/samba and /etc/ > smb.conf. Didn't help. > > Editing /etc/openldap/slapd.conf: > * Adding a schema from ldapuserdata ( a Squirrelmail plug-in) but > has removed this schema now. > > Are there other services/configuration files I have to look at? > > Do you have ANY tips? This is starting to get urgent for me now! > > I've now tried a couple of other things without success: > > I run this command to try to add the server which is the PDC to the > domain: > > net rpc join -S [SERVER] -Uroot%[password] > > Today that command gave me the following output: > > [2006/08/23 09:23:07, 0] /SourceCache/samba/samba-92.9/samba/source/ > utils/net_rpc_join.c:net_rpc_join_newstyle(279) > error setting trust account password: NT_STATUS_ACCESS_DENIED > Unable to join domain [DOMAIN]. > > Yesterday I got a bit more interesting error message including > > decode_pw_buffer: incorrect password length (945999123). > > After searching the web I found two references regarding mac is x > server and samba about this: > > At AFP548: > http://www.afp548.com/forum/viewtopic.php?showtopic=11873 > > There were a couple of suggestions: > > 1. Change the server from PDC to Single Server and back again. In a > way I've tried that by removing the /etc/smb.conf and /var/samba. > > 2. Set the password of the directory administrator a couple of > times and then it should work. Tried that but it didn't work for me. > > At this mailing list in August 2005: > > 3. A tip from Michael Bartosh: /usr/bin/opendirectorypdbconfig -c > set_authenticator -r admin-name -p xxxxx -n /LDAPv3/127.0.0.1 > Tried it, but didn't work. > > At the moment I believe it may be the file > > /var/db/samba/secrets.tdb > > since I didn't delete it when I reconfigured Samba. I was also > surprised that the SID of the Samba domain didn't change when I > reconfigured Samba. > > My question is then: Is it safe to rename this file and and then > start Samba again? Or will the domain loose it SID and I have to > add all the Win clients again? But if I run the command: > > sudo net getlocalsid [DOMAIN] > > before the renaming and then run the command: > > net setlocalsid SID > > after. Will this procedure do it? > > Regards, > > Lars-Gunnar Persson > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba >Lars-Gunnar Persson Nansen Environmental and Remote Sensing Center Thorm?hlensgt. 47, N-5006 BERGEN, NORWAY Phone : + 47 55 20 58 31, Fax: + 47 55 20 58 01 Mobile : + 47 932 23 560, E-mail : lars-gunnar.persson@nersc.no