Hi all, My apologies for filing this bug report. However, I'd done no less than 3 posts to the samba mail list with zero responses. I have a log file from the failed attemps to use net join to connect the solaris samba server to the windows domain I'm willing to share. The PDC is a Win 2003 server that was recently upgraded to SP2. Prior to this upgrade everything worked fine. The samba version is 3.0.24 from sunfreeware.com and the smb.conf file is pretty basic: security = domain workgroup = <our domain name> password server = * I have even tried to set both the client schannel and server schannel options to no. That doesn't seem to make a difference. Now after the SP2 upgrade, when we do the net join command the error is: > ./net rpc join -U administrator%password -d10 Could not initialise lsa pipe [2007/04/06 16:21:56, 0] utils/net_rpc_join.c:net_rpc_join_ok(70) net_rpc_join_ok: failed to get schannel session key from server D2DMAIL for domain D2D. Error was NT_STATUS_ACCESS_DENIED Unable to join domain D2D. However, when looking through the debuglog file, it is clear than some connection is made and proper handshaking is done. In fact, there are no failure messages in the DC log files!
Created attachment 2376 [details] This is the output from the net join command. The very first line in the file is the command used to join the domain.
Just curious, why are you using security = domain rather than security = ads?
Kris, please attach your full smb.conf. Thanks.
uot of 3 developers, none of us can repro this.
Hi all, First let me thank everyone for investigating this!!! We really feel kind of stupid for not being able to figuring this out since everything worked in December and January of this year. I'm using security = domain because the binary on sunfreeware.com come was not built with support for ads. And, it worked prior to the SP2 upgrade. I have heard from someone that has the same issues with the Small Business Edition of Win 2003 Server w/ SP2. But, that is besides the point. I was hoping there was something obvious in the debug output of the net join command that would translate into a different setting in the domain controller. Although we have flipped every setting switch we could after reading various postings and such. I'll log on again in about an hour from my work machine so that I can upload the smb.conf file. Thank you so much!!! Regards, Kris
I'd suggest cranking up the auditing on the windows side and see what shows up in the event log.
Created attachment 2383 [details] entire smb.conf The client and server schannel settings are commented out because they were not in out original smb.conf file when this all worked. Adding them didn't help with the current situation.
Any difference in 3.0.25rc2 ?
Hi, I've only ever used pre-compiled binaries either from sunfreeware.com or samba.org. It will take me a bit to download and compile 3.0.25rc2 myself. But, I will try this week. Thanks! - Kris
The net rpc join command still fails with 3.0.25rc2. :-( Here are some excerpts from the log file that are a bit confusing to me. In the bit below it seems the schannel connection is successful . . . [2007/04/23 15:44:08, 5] rpc_client/cli_pipe.c:check_bind_response(1701) check_bind_response: accepted! [2007/04/23 15:44:08, 10] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel_with_key(2543) cli_rpc_pipe_open_schannel_with_key: opened pipe \NETLOGON to machine D2DMAIL for domain D2D and bound using schannel. [2007/04/23 15:44:08, 10] libsmb/smb_signing.c:simple_packet_signature(283) simple_packet_signature: sequence number 50 [2007/04/23 15:44:08, 10] libsmb/smb_signing.c:client_sign_outgoing_message(349) client_sign_outgoing_message: sent SMB signature of [2007/04/23 15:44:08, 10] lib/util.c:dump_data(2249) [000] 68 93 20 2E 7E D9 A7 CD h. .~??Í [2007/04/23 15:44:08, 10] libsmb/smb_signing.c:store_sequence_for_reply(68) store_sequence_for_reply: stored seq = 51 mid = 28 [2007/04/23 15:44:08, 6] libsmb/clientgen.c:write_socket(153) write_socket(4,45) [2007/04/23 15:44:08, 6] libsmb/clientgen.c:write_socket(156) write_socket(4,45) wrote 45 [2007/04/23 15:44:08, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 35 But here, is were things fail just a bit later on in the log file . . . [2007/04/23 15:44:08, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2222) cli_rpc_pipe_open: cli_nt_create failed on pipe \NETLOGON to machine D2DMAIL. Error was NT_STATUS_ACCESS_DENIED [2007/04/23 15:44:08, 0] utils/net_rpc_join.c:net_rpc_join_ok(70) net_rpc_join_ok: failed to get schannel session key from server D2DMAIL for domain D2D. Error was NT_STATUS_ACCESS_DENIED [2007/04/23 15:44:08, 6] libsmb/clientgen.c:write_socket(153) write_socket(7,39) [2007/04/23 15:44:08, 6] libsmb/clientgen.c:write_socket(156) write_socket(7,39) wrote 39 [2007/04/23 15:44:08, 10] lib/util_sock.c:read_smb_length_return_keepalive(623) got smb length of 35 A previous suggestion was to turn on other loggin features of the PDC. As the UNIX admin I don't know what to suggest to the windows admin in this case. Please provide additional information. I'll attach the lastest debug log file in a second. Many thanks, Kris
Created attachment 2400 [details] latest debug log file
If you set "client schannel = no", does the join succeed ?
accidental reassign. Take it back.
Nope. I've tried setting both the client schannel and server schannel setting to no without any progress. I'm betting it is something on the Windows side since that is what changed. However, I don't know Windows Server at all and the Windows admin is at a loss as well. If anyone knows where I can get a pre-compiled version that includes ADS support on Solaris 2.9, I'd love to try it. Thank you.