Bug 6589 - samba 3.0.34 fails to access shares against windows 2003 sp2
Summary: samba 3.0.34 fails to access shares against windows 2003 sp2
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.34
Hardware: Sparc Solaris
: P3 normal
Target Milestone: none
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-29 14:37 UTC by dev_k
Modified: 2010-02-21 06:42 UTC (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description dev_k 2009-07-29 14:37:58 UTC 
I was able to join using 3.0.34. However when accessing the share, I still get the same issue.
Restrict anonymous login setting is enabled on the domain controller(Windows 2003 sp2).

Log file

[2009/07/29 15:13:09, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2223)
   103    cli_rpc_pipe_open: cli_nt_create failed on pipe \NETLOGON to machine <xxxxx>
.  Error was NT_STATUS_ACCESS_DENIED
   104  [2009/07/29 15:13:09, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641)
   105    cli_rpc_pipe_open_schannel: failed to get schannel session key from server <xxxxx> for domain <xxxxxx>.
   106  [2009/07/29 15:13:09, 0] auth/auth_domain.c:connect_to_domain_password_server(119
)
   107    connect_to_domain_password_server: unable to open the domain client session to
machine <xxxxx>. Error was : NT_STATUS_ACCESS_DENIED.
   108  [2009/07/29 15:13:09, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2223)
   109    cli_rpc_pipe_open: cli_nt_create failed on pipe \NETLOGON to machine HE3NTVD115
.  Error was NT_STATUS_ACCESS_DENIED
   110  [2009/07/29 15:13:09, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641)
   111    cli_rpc_pipe_open_schannel: failed to get schannel session key from server <xxxxx> for domain <xxxxx>.
   112  [2009/07/29 15:13:09, 0] auth/auth_domain.c:connect_to_domain_password_server(119
)
   113    connect_to_domain_password_server: unable to open the domain client session to
machine <xxxxx>. Error was : NT_STATUS_ACCESS_DENIED.
   114  [2009/07/29 15:13:09, 1] rpc_client/cli_pipe.c:cli_rpc_pipe_open(2223)
   115    cli_rpc_pipe_open: cli_nt_create failed on pipe \NETLOGON to machine <xxxx>
.  Error was NT_STATUS_ACCESS_DENIED
   116  [2009/07/29 15:13:09, 0] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2641)
   117    cli_rpc_pipe_open_schannel: failed to get schannel session key from server <xxxx> for domain <xxxx>.
   118  [2009/07/29 15:13:09, 0] auth/auth_domain.c:connect_to_domain_password_server(119
)
   119    connect_to_domain_password_server: unable to open the domain client session to
machine <xxxx>. Error was : NT_STATUS_ACCESS_DENIED.
   120  [2009/07/29 15:13:09, 0] auth/auth_domain.c:domain_client_validate(220)
   121    domain_client_validate: Domain password server not available.


+++ This bug was initially created as a clone of Bug #4771 +++

We have identified a problem joining samba to a windows 2003 rc2 domain.
Using mit kerberos 1.5, and the latest version of samba (3.0.25b), net join
ads would throw up the error:

cli_rpc_pipe_open: cli_nt_create failed on pipe \NETLOGON to machine
domaincontroller.mynet.mydomain.com.  Error was NT_STATUS_ACCESS_DENIED
net_rpc_join_ok: failed to get schannel session key from server
domaincontroller.mynet.mydomain.com for domain mynet. Error was
NT_STATUS_ACCESS_DENIED
Failed to verify membership in domain!
Failed to join domain: Success
return code = -1

A temporary workaround for this is to add "netlogon" to the group policy
under "named pipes that can be accessed anonymously".  this would seem to
suggest that samba cannot join a domain unless it is granted anonymous
access to the netlogon pipe.

Our windows admins dont want to permanently open this, so is there a way to
get samba net join to work correctly without having anonymous access to the
netlogon pipe?
Comment 1 Stefan Metzmacher 2010-02-21 06:42:54 UTC 
Samba 3.0.x is supported anymore.