samba - Mar 2012 - Adding to Samba domain requires super-user password

Hi,

Suddenly when I add a new workstation to out Samba3 (LDAP backend)
domain, I have to give the root username and password. When I set-up
the samba3 domain initially, I could use domain\admin user and their
password but that has started to give me "unknown user or bad
password". This last error is from a Windows7 machine I am currently
trying to add. I have merged the registry fix from
https://bugzilla.samba.org/attachment.cgi?id=4988&action=view.

Can someone offer me any pointers on how I can use a domain\admin
username and password to add workstations to the domain?
Thanks in advance.
Dermot.

What version of samba?

Do you have the same problems with an XP machine?
Are you able to login as domain administrator on machines already in the 
domain?  If you delete the local profile for domain administrator on a 
domain client, are you still able to login.  By deleteing the local 
profile you make sure you are not logging in with cached credentials.

Can you use the smbclient command on the server to validate that your 
Administrator account and password is valid?

Do you have a samba account defined for your root user?   that normally 
isn't needed, and wouldn't be in the LDAP backened.

Does pdbedit show your Administrator account?

Did this work prior to a samba upgrade.  I upgrade samba versions at 
some point and had problems adding machines.   Since I don't add new 
machines very often it took a while to detect and resolve this problem.  
Samba had trouble properly creating the LDAP attributes for the samba 
machine accounts.


If, when joining a domain,  you get an error that the "the specified 
network password is not correct."    Assuming the unix account for the 
machine exists, you may need to  recreating a samba account with 
smbpasswd  command.

#smbpasswd -x -m machinename
#smbpasswd -a -m machinename


Samba 3.5.x has trouble creating the LDAP attributes correctly.   It 
appears to incorrectly set sambaAccountFlags as "[U]" (user) instead
of
"[W]" (workstation).   When attempting to join a machine to the domain
you may get an error that the account already exists.  Use an LDAP 
editor to make sure  sambaAccountFlags is set to  "[W]."   (You can
used
pbedit to verify the setting but not to change it to "[W].")   Your PC
account should have the following entries.


         type:      sambaPrimaryGroupSID
         value:    S-1-x-xx-xxxxx-xxxxx-xxxxx-515
         type:      sambaAccountFlags
         value:     [W         ]






On 03/15/12 06:03, Dermot wrote:
> Hi,
>
> Suddenly when I add a new workstation to out Samba3 (LDAP backend)
> domain, I have to give the root username and password. When I set-up
> the samba3 domain initially, I could use domain\admin user and their
> password but that has started to give me "unknown user or bad
> password". This last error is from a Windows7 machine I am currently
> trying to add. I have merged the registry fix from
> https://bugzilla.samba.org/attachment.cgi?id=4988&action=view.
>
> Can someone offer me any pointers on how I can use a domain\admin
> username and password to add workstations to the domain?
> Thanks in advance.
> Dermot.