Bug 5749 - Join to a domain upgraded from NT4 failed
Join to a domain upgraded from NT4 failed
Status: RESOLVED FIXED
Product: Samba 3.2
Classification: Unclassified
Component: Domain Control
3.2.2
x86 Linux
: P3 major
: ---
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-09-10 16:20 UTC by James Ding
Modified: 2009-06-19 04:12 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description James Ding 2008-09-10 16:20:25 UTC
In a domain which is upgraded from NT4, 
try cli command 
'/opt/samba/bin/net ads join -U administrator%PASSWORD -s /tmp/anysmb.conf'

will fail with the following message:

[2008/09/10 17:15:16,  0] libnet/libnet_join.c:libnet_join_ok(1035)
  libnet_join_ok: failed to get schannel session key from server XXXX for domain XXXX.XXXT. Error was NT_STATUS_NO_TRUST_SAM_ACCOUNT
Failed to join domain: failed to verify domain membership after joining: No trusted SAM account


Here is fix:
Differences ...

==== //depot/main/swa/projects/eradicator/proxy-apps/samba-3.2.2/source/libnet/libnet_join.c#4 (text) ====

@@ -791,7 +791,7 @@
 
                /* Don't try to set any acct_flags flags other than ACB_WSTRUST */
 
-               DEBUG(10,("Creating account with desired access mask: %d\n",
+               DEBUG(10,("Creating account with desired access mask: %08x\n",
                        access_desired));
 
                status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
@@ -937,6 +937,24 @@
                goto done;
        }
 
+       /* Why do we have to try to (re-)set the ACB to be the same as what
+          we passed in the samr_create_dom_user() call?  When a NT
+          workstation is joined to a domain by an administrator the
+          acb_info is set to 0x80.  For a normal user with "Add
+          workstations to the domain" rights the acb_info is 0x84.  I'm
+          not sure whether it is supposed to make a difference or not.  NT
+          seems to cope with either value so don't bomb out if the set
+          userinfo2 level 0x10 fails.  -tpot */
+       ZERO_STRUCT(user_info.info16);
+       init_samr_user_info16(&user_info.info16, ACB_WSTRUST);
+
+       /* Ignoring the return value is necessary for joining a domain
+          as a normal user with "Add workstation to domain" privilege. */
+       rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
+                                &user_pol,
+                                16,
+                                &user_info);
+
        status = NT_STATUS_OK;
Comment 1 Guenther Deschner 2008-09-10 17:32:03 UTC
Ok, this is interesting. You upgraded your NT4 box to what version of Windows?
Comment 2 James Ding 2008-09-10 18:54:22 UTC
(In reply to comment #1)
> Ok, this is interesting. You upgraded your NT4 box to what version of Windows?
> 


I upgraded from NT4 to WIN2K. BTW, the fix is from Samba 3.0.x. 

Comment 3 Guenther Deschner 2008-09-11 07:17:56 UTC
I tried very hard but cannot reproduce that, what I tried so far:

join NT4 SP6a, upgrade to W2K, rejoin with "net ads join" with administrator
join NT4, SP6a upgrade to W2K, rejoin with "net ads join" with privileged user
upgrade NT4 SP6a to W2K, join with "net ads join" with administrator
upgrade NT4 SP6a to W2K, join with "net ads join" with privileged user
update W2K to SP4, both join succeeds

Can you give some more details (log level 10 from net), smb.conf, w2k service pack, etc. so that we can better understand how to reproduce this?
Comment 4 Guenther Deschner 2008-10-30 09:45:32 UTC
Ping, any news on this ?
Comment 5 Guenther Deschner 2008-11-21 11:33:57 UTC
Ok, it seems that I always tested with w2k incl. all service packs, metze told me he has seen this for w2k WITHOUT any service packs.
Comment 6 Guenther Deschner 2008-11-28 17:20:50 UTC
Fix pushed as 
http://git.samba.org/?p=samba.git;a=commitdiff;h=28099876f9a39f56a54fd2540532309c0d1e2877

We will look how to get this into the next samba releases.
Comment 7 Guenther Deschner 2008-12-09 11:48:07 UTC
Fixed for 3.3 but not for the next 3.2 release yet.
Comment 8 Karolin Seeger 2009-05-13 04:34:52 UTC
Günther, so the patch should go into v3-2-test?
Comment 9 Guenther Deschner 2009-06-19 04:12:23 UTC
This fix has been pushed to 3-2-test and is at least part of 3.2.12.

Closing as fixed. Please reopen if still an issue.