Created attachment 9323 [details] Adding mm-macassidy machine to the domain None of our Windows stations are able to join the samba domain. The error displayed by the windows client is that the password is not correct (but indeed it is !). System : Oracle Solaris 10 1/13 s10x_u11wos_24a X86 Configuration file : [global] workgroup = MATERIAUX netbios name = ISIS server string = SUN Samba Server security = user interfaces = 10.1.1.7/8 domain logons = Yes preferred master = Yes domain master = Yes load printers = no printing = cups host msdfs = yes log level = 2 log file = /var/samba/log/log.%U.%m os level = 255 unix password sync = Yes time server = Yes logon script = logon.bat logon path = \\isis\profile\%U invalid users = bin, daemon, adm, sync, shutdown, halt, mail, uucp, gopher admin users = admin passdb backend = smbpasswd smb passwd file = /etc/sfw/smbpasswd username map = /etc/sfw/smbusers passwd program = /usr/bin/passwd %u wins support = yes wins proxy = yes dns proxy = no remote announce = 192.168.12.255/MATERIAUX \ 192.168.14.255/MATERIAUX \ 192.168.15.255/MATERIAUX \ 192.168.16.255/MATERIAUX \ 192.168.17.255/MATERIAUX \ 192.168.18.255/MATERIAUX \ 192.168.19.255/MATERIAUX \ 192.168.21.255/MATERIAUX \ 192.168.23.255/MATERIAUX \ socket options = IPTOS_LOWDELAY TCP_NODELAY lm announce = yes add user script = /usr/sbin/useradd -g 10000 -c "%u" -d /dev/null -s /bin/false "%u" add machine script = /usr/sbin/useradd -g 10000 -c "Machine %u" -d /dev/null -s /bin/false "%u" Then shares are following. testparm shows that the password chat is set to the default : passwd chat = *new*password* %n\n *new*password* %n\n *changed* You'll find a log file in attachement (only the part that shows the error). In this log we try to add mm-macassidy machine to the domain. It seems that everything is ok (Get_Pwnam_internals did find user [mm-macassidy$]!) but when invoking dochild in the chat_with_program function (chat_with_program: Dochild for user mm-macassidy$) invoking the passwd program is done with 'mm-macassidy_' where it should use mm-macassidy$ (Invoking '/usr/bin/passwd mm-macassidy_' as password change program). I suspect this program to fail with a no such user message (user mm-macassidy$ exists). This behavior seems intentional in the code : line 605 of srv_samr_chgpasswd.c is invoking talloc_string_sub which is using talloc_string_sub2(mem_ctx, src, pattern, insert, true, false, false); stating that it should 'remove_unsafe_characters' and not 'allow_trailing_dollar'. Any help to try to solve this would be much appreciated.
When the parameter "passwd chat debug = yes" it shows that the passwd program answers that the user "wlic_" is unkonwn (machine name in the log below is wlic$). 2013/12/17 15:18:37.534595, 3] rpc_server/samr/srv_samr_chgpasswd.c:480(chat_with_program) chat_with_program: Dochild for user wlic$ (uid=0,gid=0) (as_root = Yes) [2013/12/17 15:18:37.535730, 10] rpc_server/samr/srv_samr_chgpasswd.c:237(dochild) Invoking '/usr/bin/passwd wlic_' as password change program. [2013/12/17 15:18:37.544416, 5] lib/util_sock.c:361(read_fd_with_timeout) read_fd_with_timeout: timeout read. EOF from client. [2013/12/17 15:18:37.544506, 2] rpc_server/samr/srv_samr_chgpasswd.c:284(expect) expect: read error NT_STATUS_END_OF_FILE [2013/12/17 15:18:37.544540, 100] rpc_server/samr/srv_samr_chgpasswd.c:309(expect) expect: expected [*new*password*] received [passwd: User unknown: wlic_ Permission denied ] match no [2013/12/17 15:18:37.544587, 2] rpc_server/samr/srv_samr_chgpasswd.c:315(expect) expect: NT_STATUS_END_OF_FILE [2013/12/17 15:18:37.544618, 3] rpc_server/samr/srv_samr_chgpasswd.c:350(talktochild) Response 1 incorrect [2013/12/17 15:18:37.544648, 3] rpc_server/samr/srv_samr_chgpasswd.c:422(chat_with_program) chat_with_program: Child failed to change password: wlic$ [2013/12/17 15:18:37.545020, 3] rpc_server/samr/srv_samr_chgpasswd.c:454(chat_with_program) chat_with_program: The process exited with status 1 while we were waiting
I deleted the following smb.conf lines : unix password sync = Yes passwd program = /usr/bin/passwd %u Leaving passwd field to default and not syncing the unix password. Now a windows 7 is able to join the domain... it complains about a DNS error but still joins the domain.