Bug 4503 - "net rpc join" failure: WinServer 2003 SP2
"net rpc join" failure: WinServer 2003 SP2
Status: NEW
Product: Samba 3.0
Classification: Unclassified
Component: net utility
Sparc Windows XP
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2007-04-11 08:35 UTC by Kris D
Modified: 2009-04-04 08:02 UTC (History)
3 users (show)

See Also:

This is the output from the net join command. (208.92 KB, text/plain)
2007-04-11 08:37 UTC, Kris D
no flags Details
entire smb.conf (9.93 KB, text/plain)
2007-04-12 08:01 UTC, Kris D
no flags Details
latest debug log file (260.01 KB, text/plain)
2007-04-23 14:47 UTC, Kris D
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Kris D 2007-04-11 08:35:34 UTC
Hi all,

My apologies for filing this bug report.  However, I'd done no less than 3 posts to the samba mail list with zero responses.

I have a log file from the failed attemps to use net join to connect the solaris samba server to the windows domain I'm willing to share.  The PDC is a Win 2003 server that was recently upgraded to SP2.  Prior to this upgrade everything worked fine.

The samba version is 3.0.24 from sunfreeware.com and the smb.conf file is pretty basic:

security = domain
workgroup = <our domain name>
password server = *

I have even tried to set both the client schannel and server schannel options to no.  That doesn't seem to make a difference.

Now after the SP2 upgrade, when we do the net join command the error is:

> ./net rpc join -U administrator%password -d10
Could not initialise lsa pipe
[2007/04/06 16:21:56, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
  net_rpc_join_ok: failed to get schannel session key from server D2DMAIL for domain D2D. Error was NT_STATUS_ACCESS_DENIED
Unable to join domain D2D.

However, when looking through the debuglog file, it is clear than some connection is made and proper handshaking is done.  In fact, there are no failure messages in the DC log files!
Comment 1 Kris D 2007-04-11 08:37:34 UTC
Created attachment 2376 [details]
This is the output from the net join command.  

The very first line in the file is the command used to join the domain.
Comment 2 Gerald (Jerry) Carter 2007-04-11 08:49:54 UTC
Just curious, why are you using security = domain rather than 
security = ads?
Comment 3 Gerald (Jerry) Carter 2007-04-11 09:12:00 UTC
Kris, please attach your full smb.conf.  Thanks.
Comment 4 Gerald (Jerry) Carter 2007-04-11 12:25:08 UTC
uot of 3 developers, none of us can repro this.
Comment 5 Kris D 2007-04-12 06:35:41 UTC
Hi all,

First let me thank everyone for investigating this!!! We really feel kind of stupid for not being able to figuring this out since everything worked in December and January of this year.

I'm using security = domain because the binary on sunfreeware.com come was not built with support for ads.  And, it worked prior to the SP2 upgrade.  I have heard from someone that has the same issues with the Small Business Edition of Win 2003 Server w/ SP2.  But, that is besides the point.

I was hoping there was something obvious in the debug output of the net join command that would translate into a different setting in the domain controller.    Although we have flipped every setting switch we could after reading various postings and such.

I'll log on again in about an hour from my work machine so that I can upload the smb.conf file.

Thank you so much!!!

Comment 6 Jim McDonough 2007-04-12 06:54:32 UTC
I'd suggest cranking up the auditing on the windows side and see what shows up in the event log.
Comment 7 Kris D 2007-04-12 08:01:51 UTC
Created attachment 2383 [details]
entire smb.conf

The client and server schannel settings are commented out because they were not in out original smb.conf file when this all worked.  Adding them didn't help with the current situation.
Comment 8 Gerald (Jerry) Carter 2007-04-22 17:48:15 UTC
Any difference in 3.0.25rc2 ?
Comment 9 Kris D 2007-04-23 08:32:48 UTC

I've only ever used pre-compiled binaries either from sunfreeware.com or samba.org.  It will take me a bit to download and compile 3.0.25rc2 myself.  But, I will try this week.


- Kris
Comment 10 Kris D 2007-04-23 14:47:14 UTC
The net rpc join command still fails with 3.0.25rc2.  :-(  Here are some excerpts from the log file that are a bit confusing to me.  In the bit below it seems the schannel connection is successful . . .

[2007/04/23 15:44:08, 5] rpc_client/cli_pipe.c:check_bind_response(1701)
  check_bind_response: accepted!
[2007/04/23 15:44:08, 10] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel_with_key(2543)
  cli_rpc_pipe_open_schannel_with_key: opened pipe \NETLOGON to machine D2DMAIL for domain D2D and bound using schannel.
[2007/04/23 15:44:08, 10] libsmb/smb_signing.c:simple_packet_signature(283)
  simple_packet_signature: sequence number 50
[2007/04/23 15:44:08, 10] libsmb/smb_signing.c:client_sign_outgoing_message(349)  client_sign_outgoing_message: sent SMB signature of
[2007/04/23 15:44:08, 10] lib/util.c:dump_data(2249)
  [000] 68 93 20 2E 7E D9 A7 CD                           h. .~??Í 
[2007/04/23 15:44:08, 10] libsmb/smb_signing.c:store_sequence_for_reply(68)
  store_sequence_for_reply: stored seq = 51 mid = 28
[2007/04/23 15:44:08, 6] libsmb/clientgen.c:write_socket(153)
[2007/04/23 15:44:08, 6] libsmb/clientgen.c:write_socket(156)
  write_socket(4,45) wrote 45
[2007/04/23 15:44:08, 10] lib/util_sock.c:read_smb_length_return_keepalive(623)
  got smb length of 35

But here, is were things fail just a bit later on in the log file . . .

[2007/04/23 15:44:08, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2222)
  cli_rpc_pipe_open: cli_nt_create failed on pipe \NETLOGON to machine D2DMAIL.  Error was NT_STATUS_ACCESS_DENIED
[2007/04/23 15:44:08, 0] utils/net_rpc_join.c:net_rpc_join_ok(70)
  net_rpc_join_ok: failed to get schannel session key from server D2DMAIL for domain D2D. Error was NT_STATUS_ACCESS_DENIED
[2007/04/23 15:44:08, 6] libsmb/clientgen.c:write_socket(153)
[2007/04/23 15:44:08, 6] libsmb/clientgen.c:write_socket(156)
  write_socket(7,39) wrote 39
[2007/04/23 15:44:08, 10] lib/util_sock.c:read_smb_length_return_keepalive(623)
  got smb length of 35

A previous suggestion was to turn on other loggin features of the PDC.  As the UNIX admin I don't know what to suggest to the windows admin in this case.  Please provide additional information.

I'll attach the lastest debug log file in a second.

Many thanks,
Comment 11 Kris D 2007-04-23 14:47:48 UTC
Created attachment 2400 [details]
latest debug log file
Comment 12 Gerald (Jerry) Carter 2007-05-18 11:52:10 UTC
If you set "client schannel = no", does the join succeed ?
Comment 13 Gerald (Jerry) Carter 2007-05-18 11:52:28 UTC
accidental reassign.  Take it back.
Comment 14 Kris D 2007-05-25 07:53:46 UTC
Nope.  I've tried setting both the client schannel and server schannel setting to no without any progress.  I'm betting it is something on the Windows side since that is what changed.  However, I don't know Windows Server at all and the Windows admin is at a loss as well.

If anyone knows where I can get a pre-compiled version that includes ADS support on Solaris 2.9, I'd love to try it.

Thank you.