Bug 4879 - Samba not joining longhorn server in security = DOMAIN
Samba not joining longhorn server in security = DOMAIN
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: net utility
3.0.25b
x86 Other
: P3 critical
: none
Assigned To: Jim McDonough
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-14 05:44 UTC by gomathi
Modified: 2011-07-17 18:21 UTC (History)
3 users (show)

See Also:


Attachments
used smb.conf (200 bytes, text/plain)
2007-12-18 08:47 UTC, Magnus Mertens
no flags Details
network sniff (19.27 KB, application/octet-stream)
2007-12-18 08:48 UTC, Magnus Mertens
no flags Details
debug level 10 output of net rpc join (339.79 KB, text/plain)
2007-12-18 08:49 UTC, Magnus Mertens
no flags Details
sniff: domain join windows nt 4.0 sp6 workstation (18.01 KB, application/octet-stream)
2007-12-19 07:56 UTC, Magnus Mertens
no flags Details
sniff: tried to logon with a domain user from win nt 4 sp6 (5.22 KB, application/octet-stream)
2007-12-19 08:02 UTC, Magnus Mertens
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description gomathi 2007-08-14 05:44:37 UTC
Hi

We have been trying with Samba 3.0.14a as well 3.0.25b to join longhorn server (latest version - June CTP longhorn version). We have configured Smb.conf with security = DOMAIN and we couldnt able to join longhorn.
We also have tried with Samba 3.0.25b where we got the same result.


Here are the smb.conf parameters used for Domain join

[global]
unix charset = LOCALE
workgroup = LONGHORN2	
netbios name = Samba3025
encrypt passwords = yes
server string = Samba 3...
security = DOMAIN
password server = 172.168.7.77
#auth methods = ntdomain
username map = /etc/samba/smbusers
log level = 10
syslog = 0
log file = /var/log/samba/%m
max log size = 50
Printcap name = CUPS
local master = no
stat cache = no
kernel oplocks = no
oplocks = no
level2 oplocks = no
default devmode = yes
printing = cups
map to guest = Never
use spnego = yes
client use spnego = No
server signing = Auto
client signing = Auto

[SambaShare]
        comment = SambaShare
        path = /home/SambaShare
        writable = yes
		printable = no
        create mask = 0777
		guest ok = yes
		guest only = yes
		posix locking = no
		oplocks = no
		level2 oplocks = no
                admin users = Administrator
We can able to join 2K server both in Samba3.0.14a as well 3.0.25b.
Kindly help us the reason for the failure of joining longhorn domain.
Comment 1 gomathi 2007-08-16 04:44:28 UTC
Hi,
Are there any special conf parameter to be added for Samba joining Longhorn server? In longhorn, ntlmv2 is the default security level...Are there any issues with this security level?
Kindly tell us whether anything missed out in the mentioned smb.conf parameter values for joining Samba to Longhorn server in security = DOMAIN.
Comment 2 Magnus Mertens 2007-12-18 08:46:48 UTC
I've the same problem here with Samba 3.0.28 and 3.2-test. Trying to join Windows 2008 Standard Edition RC1 leads to the interesting error "NT_STATUS_DOWNGRADE_DETECTED" after entering the administrator credentials. 

Setup with Samba on Debian Sarge and a new Windows Server 2008 RC1 installation.

I've added the output of "net rpc join", the smb.conf and a network sniff.
Comment 3 Magnus Mertens 2007-12-18 08:47:40 UTC
Created attachment 3051 [details]
used smb.conf
Comment 4 Magnus Mertens 2007-12-18 08:48:48 UTC
Created attachment 3052 [details]
network sniff
Comment 5 Magnus Mertens 2007-12-18 08:49:21 UTC
Created attachment 3053 [details]
debug level 10 output of net rpc join
Comment 6 Magnus Mertens 2007-12-19 07:56:54 UTC
Created attachment 3055 [details]
sniff: domain join windows nt 4.0 sp6 workstation

tried to join the win2008 ad from Windows NT 4.0 SP6 Workstation with success, but the domain user cannot login (sniff follows)
Comment 7 Magnus Mertens 2007-12-19 08:02:24 UTC
Created attachment 3056 [details]
sniff: tried to logon with a domain user from win nt 4 sp6

after the successful domainjoin and rebooting the win nt 4.0 client I tried to login with a domain user. this times out and the message appears that the DC is not available...
Comment 8 Volker Lendecke 2007-12-19 11:35:35 UTC
Okay, thanks for those sniffs. NT4 and Samba stumble over the same thing: The Auth2 call gives this new error message. NT4 does not try this before the login attempt. I wonder if there's some security setting in 2008 server that allows "downlevel" domain connects. Furthermore, would 2008 allow our SamLogon (i.e. wbinfo -a) if we are joined as "security=ads"?

Volker
Comment 9 Björn Jacke 2011-07-17 18:21:23 UTC
recent samba versions can work as domain members. closing as fixed.