Samba/LDAP/PDC: WinXP cannot join domain - Win2K can - SMB

This is a discussion on Samba/LDAP/PDC: WinXP cannot join domain - Win2K can - SMB ; I'm having difficulties getting Windows XP machines to join a Samba PDC (LDAP). I'm able to join Windows 2000 machines to the same domain with no problems, but WinXP machines fail with the error message: "Logon failure: unknown user name ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Samba/LDAP/PDC: WinXP cannot join domain - Win2K can

  1. Samba/LDAP/PDC: WinXP cannot join domain - Win2K can

    I'm having difficulties getting Windows XP machines to join a Samba PDC
    (LDAP).
    I'm able to join Windows 2000 machines to the same domain with no
    problems, but WinXP machines fail with the error message: "Logon
    failure: unknown user name or bad password".

    In the samba logfile, things look a little more specified. Trouble is,
    I'm not sure what the exact denied message below means.

    The full log is attached but I think the error is in the part:

    [2005/02/03 17:03:43, 2] auth/auth.c:check_ntlm_password(305)
    check_ntlm_password: authentication for user [administrator] ->
    [administrator] -> [administrator] succeeded
    [2005/02/03 17:03:43, 2]
    rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
    Returning domain sid for domain TT-DOMAIN ->
    S-1-5-21-1949541414-3984647259-2642683083
    [2005/02/03 17:03:43, 2]
    rpc_server/srv_samr_nt.c:access_check_samr_object(93)
    _samr_open_domain: ACCESS DENIED (requested: 0000000211)

    (Full log below)

    [2005/02/03 17:03:43, 2] lib/smbldap.c:smbldap_search_domain_info(1373)
    Searching
    for:[(&(objectClass=sambaDomain)(sambaDomainName=TT-DOMAIN))]
    [2005/02/03 17:03:43, 2] lib/smbldap.c:smbldap_open_connection(692)
    smbldap_open_connection: connection opened
    [2005/02/03 17:03:43, 2] smbd/reply.c:reply_special(235)
    netbios connect: name1=SAMBA name2=FIONA
    [2005/02/03 17:03:43, 2] smbd/reply.c:reply_special(242)
    netbios connect: local=samba remote=fiona, name type = 0
    [2005/02/03 17:03:43, 2] smbd/sesssetup.c:setup_new_vc_session(608)
    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
    all old resources.
    [2005/02/03 17:03:43, 2] smbd/sesssetup.c:setup_new_vc_session(608)
    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
    all old resources.
    [2005/02/03 17:03:43, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
    init_sam_from_ldap: Entry found for user: administrator
    [2005/02/03 17:03:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011)
    init_group_from_ldap: Entry found for group: 513
    [2005/02/03 17:03:43, 2] auth/auth.c:check_ntlm_password(305)
    check_ntlm_password: authentication for user [administrator] ->
    [administrator] -> [administrator] succeeded
    [2005/02/03 17:03:43, 2]
    rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
    Returning domain sid for domain TT-DOMAIN ->
    S-1-5-21-1949541414-3984647259-2642683083
    [2005/02/03 17:03:43, 2]
    rpc_server/srv_samr_nt.c:access_check_samr_object(93)
    _samr_open_domain: ACCESS DENIED (requested: 0000000211)
    [2005/02/03 17:03:43, 2]
    rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
    Returning domain sid for domain TT-DOMAIN ->
    S-1-5-21-1949541414-3984647259-2642683083
    [2005/02/03 17:03:43, 2]
    rpc_server/srv_samr_nt.c:access_check_samr_function(115)
    _samr_create_user: ACCESS DENIED (granted: 0000000201; required:
    0000000010)
    [2005/02/03 17:03:44, 2] smbd/server.c:exit_server(571)
    Closing connections
    [2005/02/03 17:03:44, 2] lib/smbldap.c:smbldap_search_domain_info(1373)
    Searching
    for:[(&(objectClass=sambaDomain)(sambaDomainName=TT-DOMAIN))]
    [2005/02/03 17:03:44, 2] lib/smbldap.c:smbldap_open_connection(692)
    smbldap_open_connection: connection opened
    [2005/02/03 17:03:44, 2] smbd/reply.c:reply_special(235)
    netbios connect: name1=SAMBA name2=FIONA
    [2005/02/03 17:03:44, 2] smbd/reply.c:reply_special(242)
    netbios connect: local=samba remote=fiona, name type = 0
    [2005/02/03 17:03:44, 2] smbd/sesssetup.c:setup_new_vc_session(608)
    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
    all old resources.
    [2005/02/03 17:03:44, 2] smbd/sesssetup.c:setup_new_vc_session(608)
    setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
    all old resources.
    [2005/02/03 17:03:44, 2] passdb/pdb_ldap.c:init_sam_from_ldap(511)
    init_sam_from_ldap: Entry found for user: administrator
    [2005/02/03 17:03:44, 2] passdb/pdb_ldap.c:init_group_from_ldap(2011)
    init_group_from_ldap: Entry found for group: 513
    [2005/02/03 17:03:44, 2] auth/auth.c:check_ntlm_password(305)
    check_ntlm_password: authentication for user [administrator] ->
    [administrator] -> [administrator] succeeded
    [2005/02/03 17:03:45, 2] smbd/server.c:exit_server(571)
    Closing connections

    Any help would be greatly appreciated!


  2. Re: Samba/LDAP/PDC: WinXP cannot join domain - Win2K can

    Seem to have found a problem, and a make-shift solution.

    Am using the smbldap-tools package from idealx.

    I've noticed that the WinXP machine account isn't created, so thought
    to myself
    what happens if I can the smbldap-useradd.pl script myself manually,
    rather than relying upon
    Samba to do so.

    Sure enough, I did so and created manually the machine (trust) account
    for the WinXP machine, fiona$,
    and next time it all works fine.

    Also have discovered that its not so much a problem with WinXP. It
    affects Win2K too.
    The thing is, for the first machine I added, I didn't have a problem
    (it was a Win2K box). But for all subsequent PCs, it won't seem to work
    unless I create the machine account manually first..
    Doesn't make a great deal of sense to me...


+ Reply to Thread