The Samba-Bugzilla – Bug 5749
Join to a domain upgraded from NT4 failed
Last modified: 2009-06-19 04:12:23 UTC
In a domain which is upgraded from NT4,
try cli command
'/opt/samba/bin/net ads join -U administrator%PASSWORD -s /tmp/anysmb.conf'
will fail with the following message:
[2008/09/10 17:15:16, 0] libnet/libnet_join.c:libnet_join_ok(1035)
libnet_join_ok: failed to get schannel session key from server XXXX for domain XXXX.XXXT. Error was NT_STATUS_NO_TRUST_SAM_ACCOUNT
Failed to join domain: failed to verify domain membership after joining: No trusted SAM account
Here is fix:
==== //depot/main/swa/projects/eradicator/proxy-apps/samba-3.2.2/source/libnet/libnet_join.c#4 (text) ====
@@ -791,7 +791,7 @@
/* Don't try to set any acct_flags flags other than ACB_WSTRUST */
- DEBUG(10,("Creating account with desired access mask: %d\n",
+ DEBUG(10,("Creating account with desired access mask: %08x\n",
status = rpccli_samr_CreateUser2(pipe_hnd, mem_ctx,
@@ -937,6 +937,24 @@
+ /* Why do we have to try to (re-)set the ACB to be the same as what
+ we passed in the samr_create_dom_user() call? When a NT
+ workstation is joined to a domain by an administrator the
+ acb_info is set to 0x80. For a normal user with "Add
+ workstations to the domain" rights the acb_info is 0x84. I'm
+ not sure whether it is supposed to make a difference or not. NT
+ seems to cope with either value so don't bomb out if the set
+ userinfo2 level 0x10 fails. -tpot */
+ init_samr_user_info16(&user_info.info16, ACB_WSTRUST);
+ /* Ignoring the return value is necessary for joining a domain
+ as a normal user with "Add workstation to domain" privilege. */
+ rpccli_samr_SetUserInfo2(pipe_hnd, mem_ctx,
status = NT_STATUS_OK;
Ok, this is interesting. You upgraded your NT4 box to what version of Windows?
(In reply to comment #1)
> Ok, this is interesting. You upgraded your NT4 box to what version of Windows?
I upgraded from NT4 to WIN2K. BTW, the fix is from Samba 3.0.x.
I tried very hard but cannot reproduce that, what I tried so far:
join NT4 SP6a, upgrade to W2K, rejoin with "net ads join" with administrator
join NT4, SP6a upgrade to W2K, rejoin with "net ads join" with privileged user
upgrade NT4 SP6a to W2K, join with "net ads join" with administrator
upgrade NT4 SP6a to W2K, join with "net ads join" with privileged user
update W2K to SP4, both join succeeds
Can you give some more details (log level 10 from net), smb.conf, w2k service pack, etc. so that we can better understand how to reproduce this?
Ping, any news on this ?
Ok, it seems that I always tested with w2k incl. all service packs, metze told me he has seen this for w2k WITHOUT any service packs.
Fix pushed as
We will look how to get this into the next samba releases.
Fixed for 3.3 but not for the next 3.2 release yet.
Günther, so the patch should go into v3-2-test?
This fix has been pushed to 3-2-test and is at least part of 3.2.12.
Closing as fixed. Please reopen if still an issue.