Bug 10227 - Windows station (XP or Seven with registry corrections) is unable to join samba 3.6.8 domain
Summary: Windows station (XP or Seven with registry corrections) is unable to join sam...
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.6.8
Hardware: x86 Solaris
: P5 critical
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
Depends on:
Reported: 2013-10-24 09:39 UTC by olivier.delhomme
Modified: 2014-01-10 09:17 UTC (History)
1 user (show)

See Also:

Adding mm-macassidy machine to the domain (3.82 KB, text/x-log)
2013-10-24 09:39 UTC, olivier.delhomme
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description olivier.delhomme 2013-10-24 09:39:46 UTC
Created attachment 9323 [details]
Adding mm-macassidy machine to the domain

None of our Windows stations are able to join the samba domain. The error displayed by the windows client is that the password is not correct (but indeed it is !).

System :
Oracle Solaris 10 1/13 s10x_u11wos_24a X86

Configuration file :

   workgroup = MATERIAUX
   netbios name = ISIS
   server string = SUN Samba Server
   security = user
   interfaces =
   domain logons = Yes
   preferred master = Yes
   domain master = Yes
   load printers = no
   printing = cups

   host msdfs = yes
  log level = 2
  log file = /var/samba/log/log.%U.%m
  os level = 255
  unix password sync = Yes
  time server = Yes
  logon script = logon.bat
  logon path = \\isis\profile\%U
  invalid users = bin, daemon, adm, sync, shutdown, halt, mail, uucp, gopher
  admin users = admin

  passdb backend = smbpasswd
  smb passwd file = /etc/sfw/smbpasswd
  username map = /etc/sfw/smbusers
  passwd program = /usr/bin/passwd %u

  wins support = yes

  wins proxy = yes
  dns proxy = no

  remote announce = \

 lm announce = yes

 add user script = /usr/sbin/useradd -g 10000 -c "%u" -d /dev/null -s /bin/false "%u"
 add machine script = /usr/sbin/useradd -g 10000 -c "Machine %u" -d /dev/null -s /bin/false "%u"

Then shares are following.

testparm shows that the password chat is set to the default :
 passwd chat = *new*password* %n\n *new*password* %n\n *changed*

You'll find a log file in attachement (only the part that shows the error).
In this log we try to add mm-macassidy machine to the domain. It seems that
everything is ok (Get_Pwnam_internals did find user [mm-macassidy$]!) but 
when invoking dochild in the chat_with_program function  (chat_with_program: Dochild for user mm-macassidy$) invoking the passwd program is done with 'mm-macassidy_' where it should use mm-macassidy$ (Invoking '/usr/bin/passwd mm-macassidy_' as password change program). I suspect this program to fail with a no such user message (user mm-macassidy$ exists).

This behavior seems intentional in the code : line 605 of srv_samr_chgpasswd.c is invoking talloc_string_sub which is using talloc_string_sub2(mem_ctx, src, pattern, insert, true, false, false); stating that it should 'remove_unsafe_characters' and not 'allow_trailing_dollar'.

Any help to try to solve this would be much appreciated.
Comment 1 olivier.delhomme 2013-12-17 14:26:29 UTC
When the parameter "passwd chat debug = yes" it shows that the passwd program answers that the user "wlic_" is unkonwn (machine name in the log below is wlic$).

2013/12/17 15:18:37.534595,  3] rpc_server/samr/srv_samr_chgpasswd.c:480(chat_with_program)
  chat_with_program: Dochild for user wlic$ (uid=0,gid=0) (as_root = Yes)
[2013/12/17 15:18:37.535730, 10] rpc_server/samr/srv_samr_chgpasswd.c:237(dochild)
  Invoking '/usr/bin/passwd wlic_' as password change program.
[2013/12/17 15:18:37.544416,  5] lib/util_sock.c:361(read_fd_with_timeout)
  read_fd_with_timeout: timeout read. EOF from client.
[2013/12/17 15:18:37.544506,  2] rpc_server/samr/srv_samr_chgpasswd.c:284(expect)
  expect: read error NT_STATUS_END_OF_FILE
[2013/12/17 15:18:37.544540, 100] rpc_server/samr/srv_samr_chgpasswd.c:309(expect)
  expect: expected [*new*password*] received [passwd: User unknown: wlic_
  Permission denied
  ] match no
[2013/12/17 15:18:37.544587,  2] rpc_server/samr/srv_samr_chgpasswd.c:315(expect)
[2013/12/17 15:18:37.544618,  3] rpc_server/samr/srv_samr_chgpasswd.c:350(talktochild)
  Response 1 incorrect
[2013/12/17 15:18:37.544648,  3] rpc_server/samr/srv_samr_chgpasswd.c:422(chat_with_program)
  chat_with_program: Child failed to change password: wlic$
[2013/12/17 15:18:37.545020,  3] rpc_server/samr/srv_samr_chgpasswd.c:454(chat_with_program)
  chat_with_program: The process exited with status 1 while we were waiting
Comment 2 olivier.delhomme 2014-01-10 09:17:42 UTC
I deleted the following smb.conf lines :

unix password sync = Yes
passwd program = /usr/bin/passwd %u

Leaving passwd field to default and not syncing the unix password. Now a windows 7 is able to join the domain... it complains about a DNS error but still joins the domain.