Bug 10227 - Windows station (XP or Seven with registry corrections) is unable to join samba 3.6.8 domain
Windows station (XP or Seven with registry corrections) is unable to join sam...
Status: RESOLVED FIXED
Product: Samba 3.6
Classification: Unclassified
Component: Domain Control
3.6.8
x86 Solaris
: P5 critical
: ---
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-24 09:39 UTC by olivier.delhomme
Modified: 2014-01-10 09:17 UTC (History)
1 user (show)

See Also:


Attachments
Adding mm-macassidy machine to the domain (3.82 KB, text/x-log)
2013-10-24 09:39 UTC, olivier.delhomme
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description olivier.delhomme 2013-10-24 09:39:46 UTC
Created attachment 9323 [details]
Adding mm-macassidy machine to the domain

None of our Windows stations are able to join the samba domain. The error displayed by the windows client is that the password is not correct (but indeed it is !).

System :
Oracle Solaris 10 1/13 s10x_u11wos_24a X86

Configuration file :

 [global]
   workgroup = MATERIAUX
   netbios name = ISIS
   server string = SUN Samba Server
   security = user
   interfaces = 10.1.1.7/8
   domain logons = Yes
   preferred master = Yes
   domain master = Yes
   load printers = no
   printing = cups

   host msdfs = yes
 
  log level = 2
  log file = /var/samba/log/log.%U.%m
  os level = 255
  unix password sync = Yes
  time server = Yes
  logon script = logon.bat
  logon path = \\isis\profile\%U
  invalid users = bin, daemon, adm, sync, shutdown, halt, mail, uucp, gopher
  admin users = admin

  passdb backend = smbpasswd
  smb passwd file = /etc/sfw/smbpasswd
  username map = /etc/sfw/smbusers
  passwd program = /usr/bin/passwd %u

  wins support = yes

  wins proxy = yes
  dns proxy = no

  remote announce =     192.168.12.255/MATERIAUX \
                        192.168.14.255/MATERIAUX \
                        192.168.15.255/MATERIAUX \
                        192.168.16.255/MATERIAUX \
                        192.168.17.255/MATERIAUX \
                        192.168.18.255/MATERIAUX \
                        192.168.19.255/MATERIAUX \
                        192.168.21.255/MATERIAUX \
                        192.168.23.255/MATERIAUX \

 socket options = IPTOS_LOWDELAY TCP_NODELAY
 lm announce = yes

 add user script = /usr/sbin/useradd -g 10000 -c "%u" -d /dev/null -s /bin/false "%u"
 add machine script = /usr/sbin/useradd -g 10000 -c "Machine %u" -d /dev/null -s /bin/false "%u"

Then shares are following.

testparm shows that the password chat is set to the default :
 passwd chat = *new*password* %n\n *new*password* %n\n *changed*

You'll find a log file in attachement (only the part that shows the error).
In this log we try to add mm-macassidy machine to the domain. It seems that
everything is ok (Get_Pwnam_internals did find user [mm-macassidy$]!) but 
when invoking dochild in the chat_with_program function  (chat_with_program: Dochild for user mm-macassidy$) invoking the passwd program is done with 'mm-macassidy_' where it should use mm-macassidy$ (Invoking '/usr/bin/passwd mm-macassidy_' as password change program). I suspect this program to fail with a no such user message (user mm-macassidy$ exists).

This behavior seems intentional in the code : line 605 of srv_samr_chgpasswd.c is invoking talloc_string_sub which is using talloc_string_sub2(mem_ctx, src, pattern, insert, true, false, false); stating that it should 'remove_unsafe_characters' and not 'allow_trailing_dollar'.

Any help to try to solve this would be much appreciated.
Comment 1 olivier.delhomme 2013-12-17 14:26:29 UTC
When the parameter "passwd chat debug = yes" it shows that the passwd program answers that the user "wlic_" is unkonwn (machine name in the log below is wlic$).


2013/12/17 15:18:37.534595,  3] rpc_server/samr/srv_samr_chgpasswd.c:480(chat_with_program)
  chat_with_program: Dochild for user wlic$ (uid=0,gid=0) (as_root = Yes)
[2013/12/17 15:18:37.535730, 10] rpc_server/samr/srv_samr_chgpasswd.c:237(dochild)
  Invoking '/usr/bin/passwd wlic_' as password change program.
[2013/12/17 15:18:37.544416,  5] lib/util_sock.c:361(read_fd_with_timeout)
  read_fd_with_timeout: timeout read. EOF from client.
[2013/12/17 15:18:37.544506,  2] rpc_server/samr/srv_samr_chgpasswd.c:284(expect)
  expect: read error NT_STATUS_END_OF_FILE
[2013/12/17 15:18:37.544540, 100] rpc_server/samr/srv_samr_chgpasswd.c:309(expect)
  expect: expected [*new*password*] received [passwd: User unknown: wlic_
  Permission denied
  ] match no
[2013/12/17 15:18:37.544587,  2] rpc_server/samr/srv_samr_chgpasswd.c:315(expect)
  expect: NT_STATUS_END_OF_FILE
[2013/12/17 15:18:37.544618,  3] rpc_server/samr/srv_samr_chgpasswd.c:350(talktochild)
  Response 1 incorrect
[2013/12/17 15:18:37.544648,  3] rpc_server/samr/srv_samr_chgpasswd.c:422(chat_with_program)
  chat_with_program: Child failed to change password: wlic$
[2013/12/17 15:18:37.545020,  3] rpc_server/samr/srv_samr_chgpasswd.c:454(chat_with_program)
  chat_with_program: The process exited with status 1 while we were waiting
Comment 2 olivier.delhomme 2014-01-10 09:17:42 UTC
I deleted the following smb.conf lines :

unix password sync = Yes
passwd program = /usr/bin/passwd %u

Leaving passwd field to default and not syncing the unix password. Now a windows 7 is able to join the domain... it complains about a DNS error but still joins the domain.