Bug 3848 - Join by Windows XP clients fail
Summary: Join by Windows XP clients fail
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.23
Hardware: Other Windows XP
: P3 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact: Samba QA Contact
Depends on:
Reported: 2006-06-20 11:34 UTC by Wilco Baan Hofman
Modified: 2006-06-21 04:01 UTC (History)
0 users

See Also:

3.0.22 level 10 log domain join by XP client (214.54 KB, text/plain)
2006-06-20 11:36 UTC, Wilco Baan Hofman
no flags Details
3.0.23rc3 level 10 log domain join by XP client (732.08 KB, text/plain)
2006-06-20 11:36 UTC, Wilco Baan Hofman
no flags Details
fix for pdb_ldap (757 bytes, patch)
2006-06-20 14:10 UTC, Volker Lendecke
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Wilco Baan Hofman 2006-06-20 11:34:39 UTC
With 3.0.23rc1 I can't join Windows XP clients to the domain.
Same configuration with 3.0.22 works perfectly fine.

It fails with "Access Denied".

Searching the level 10 debug log for NT_STATUS_ACCESS_DENIED reveals:
[2006/06/20 18:19:35, 10] lib/smbldap.c:smbldap_modify(1377)
  Failed to modify dn: uid=ws035$,ou=Computers,dc=andolan, error: No such attribute (modify/delete: displayName: no such value)
[2006/06/20 18:19:35, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
  pop_sec_ctx (0, 1001) - sec_ctx_stack_ndx = 0
[2006/06/20 18:19:35, 5] rpc_parse/parse_prs.c:prs_debug(84)
  000000 samr_io_r_set_userinfo
[2006/06/20 18:19:35, 5] rpc_parse/parse_prs.c:prs_ntstatus(763)
      0000 status: NT_STATUS_ACCESS_DENIED

Then I tried patching smbldap-useradd to include a displayName, but the message kept appearing in the log.

It does create the LDAP machine account through /usr/sbin/smbldap-useradd -w ws035$
dn: uid=ws035$,ou=Computers,dc=andolan
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
cn: ws035$
sn: ws035$
uid: ws035$
uidNumber: 10032
gidNumber: 10002
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
displayName: WS035$

I'm trying it with an account that is both a global admin user (admin users = @"Domain Admins") and is a member of group Domain Admins that has SeMachineAccountPrivilege.

I'm attaching two logs, 3.0.22 domain join log and 3.0.23rc3 domain join log.
Comment 1 Wilco Baan Hofman 2006-06-20 11:36:02 UTC
Created attachment 1970 [details]
3.0.22 level 10 log domain join by XP client
Comment 2 Wilco Baan Hofman 2006-06-20 11:36:38 UTC
Created attachment 1971 [details]
3.0.23rc3 level 10 log domain join by XP client
Comment 3 Gerald (Jerry) Carter (dead mail address) 2006-06-20 11:45:37 UTC
Could test 3.0.23rc2?  I think I remember volker fixing 
a bug here.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2006-06-20 11:46:43 UTC
Sorry.  I see you already did.  I'll look at the logs.
Comment 5 Wilco Baan Hofman 2006-06-20 12:07:01 UTC
My bad, typo, didn't try 3.0.23rc1, only 3.0.23rc3.
Comment 6 Volker Lendecke 2006-06-20 13:50:19 UTC
Okay, I know what's going on. Thanks for testing this! Stay tuned....

Comment 7 Volker Lendecke 2006-06-20 14:10:26 UTC
Created attachment 1972 [details]
fix for pdb_ldap

Can you try the attached patch? I did not test it, as I don't have a full LDAP setup handy right now, but I'm pretty confident it fixes it.

Meanwhile I'm setting up a LDAP DC...

Thanks for testing this!

Comment 8 Volker Lendecke 2006-06-20 15:06:06 UTC
Ok, checked in the fix with r16427

Comment 9 Wilco Baan Hofman 2006-06-21 04:01:55 UTC
I love you guys, patch available within 3 hours!

Works for me.