Bug 5920 - NetApp fails to join domain under 3.2.4
Summary: NetApp fails to join domain under 3.2.4
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.2
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.2.4
Hardware: Other Other
: P3 normal
Target Milestone: ---
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-25 04:06 UTC by Rob
Modified: 2009-02-16 07:06 UTC (History)
1 user (show)

See Also:


Attachments
fix response of _netr_ServerPasswordSet (582 bytes, patch)
2009-02-16 01:38 UTC, Yasuma Takeda
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Rob 2008-11-25 04:06:15 UTC
Trying to join a NetApp2020 (7.2.5.1) to a samba 3.2.4 PDC with ldap backend fails with the following error in log.smbd

 _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client COMPUTER machine account COMPUTER$

It fails every time no matter if the machine account is first created by hand or not. Reverting back to 3.0.30 the NetApp joins without any problems.

Going forward again to 3.2.4 after having copied the *.tdb files from the 3.0.30 release seems to work, at least for now.
A password challenge between the NetApp and the PDC has not happened yet so I don't know if it still works after that.

Cheers
Rob
Comment 1 Yasuma Takeda 2009-02-16 01:36:42 UTC
I found a problem on samba 3.2.8.
When a member server will join to samba 3.2.8(PDC) by using "net rpc oldjoin", it fails.

1. I add a machine account on PDC.
   # smbldap-useradd -w host1
   # pdbedit -a -m host1$
2. I try to join by "net rpc oldjoin" on other machine.

I got debug messages on PDC.

[2009/02/20 09:34:34,  5] libsmb/credentials.c:creds_step(171)
        SERVER      D02BE47EB59E21B4

[2009/02/20 09:34:35,  3] smbd/sec_ctx.c:pop_sec_ctx(432)
  pop_sec_ctx (999, 514) - sec_ctx_stack_ndx = 0
      netr_ServerPasswordSet: struct netr_ServerPasswordSet
          out: struct netr_ServerPasswordSet
              return_authenticator     : *
                  return_authenticator: struct netr_Authenticator
                      cred: struct netr_Credential
                          data                     : d02be47e00000000
                      timestamp                : (time_t)0
              result                   : NT_STATUS_OK

[2009/02/20 09:34:35, 10] lib/util.c:dump_data(2235)
  [000] 00 05 00 02 03 10 00 00  00 28 00 00 00 08 00 00  ........ .(......
  [010] 00 10 00 00 00 00 00 00  00 D0 2B E4 7E 00 00 00  ........ ..+.~...
  [020] 00 00 00 00 00 00 00 00  00                       ........ .

"D02BE47EB59E21B4" is input from client. But the response is changed to "d02be47e00000000".
It is a reason that "net rpc oldjoin" fails.

My patch fixes this problem. And I think NetApp uses the same mechanism as "net rpc oldjoin".

source/rpc_server/srv_netlog_nt.c

This is wrong place.
        memcpy(r->out.return_authenticator, &cred_out,
               sizeof(r->out.return_authenticator));

"sizeof(r->out.return_authenticator)" is 4 on x86. Because it is pointer.
It should be "sizeof(struct net_Authenticator)".

struct netr_ServerPasswordSet {
	struct {
                const char *server_name;/* [unique,charset(UTF16)] */
		const char *account_name;/* [charset(UTF16)] */
		enum netr_SchannelType secure_channel_type;
		const char *computer_name;/* [charset(UTF16)] */
		struct netr_Authenticator *credential;/* [ref] */
		struct samr_Password *new_password;/* [ref] */
	} in;

	struct {
                struct netr_Authenticator *return_authenticator;/* [ref] */
		NTSTATUS result;
	} out;
};
Comment 2 Yasuma Takeda 2009-02-16 01:38:12 UTC
Created attachment 3940 [details]
fix response of  _netr_ServerPasswordSet
Comment 3 Volker Lendecke 2009-02-16 07:06:23 UTC
Great catch! I've checked a slightly different form of that patch into all branches.

Thanks!

Volker