Bug 8651 - Error emitted when joining domain when using LDAP backend
Summary: Error emitted when joining domain when using LDAP backend
Status: NEW
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.5.11
Hardware: x64 Linux
: P5 normal
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-07 17:45 UTC by Peter Matulis
Modified: 2011-12-21 16:06 UTC (History)
0 users

See Also:

Attachments
smb.conf (936 bytes, application/octet-stream)
2011-12-07 17:47 UTC, Peter Matulis 		no flags Details
slapd syslog (16.55 KB, application/octet-stream)
2011-12-07 17:48 UTC, Peter Matulis 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Matulis 2011-12-07 17:45:57 UTC 
Using an LDAP backend to Samba when I issue the following command I get the resulting error:

$ sudo net rpc join -S TERRAN-PDC -U root%admin -I 10.153.107.212

Creation of workstation account failed
Unable to join domain TERRAN.

However, when looking within LDAP everything appeared to have worked:

cn: terran-member$
uid: terran-member$
uidNumber: 1040
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
structuralObjectClass: account
entryUUID: 7ef7cefe-b53f-1030-88d8-5f7d69c1cef7
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20111207165147Z
objectClass: posixAccount
objectClass: account
objectClass: sambaSamAccount
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1323276707
sambaAcctFlags: [W          ]
sambaSID: S-1-5-21-2516236927-2434337245-2722475061-3080
sambaPrimaryGroupSID: S-1-5-21-2516236927-2434337245-2722475061-515
displayName: terran-member$
sambaDomainName: TERRAN
entryCSN: 20111207165147.499725Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20111207165147Z

The Samba log for this member machine gets the following appended during the operation:

[2011/12/07 10:26:10.261520,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2011/12/07 10:26:10.266872,  2] passdb/pdb_ldap.c:2446(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 513
[2011/12/07 10:26:10.280815,  0] rpc_server/srv_netlog_nt.c:475(get_md4pw)
  get_md4pw: Workstation TERRAN-MEMBER$: no account in domain
[2011/12/07 10:26:10.280863,  0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate2: failed to get machine password for account TERRAN-MEMBER$: NT_STATUS_ACCESS_DENIED
[2011/12/07 10:26:10.283151,  0] rpc_server/srv_netlog_nt.c:475(get_md4pw)
  get_md4pw: Workstation TERRAN-MEMBER$: no account in domain
[2011/12/07 10:26:10.283170,  0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate2: failed to get machine password for account TERRAN-MEMBER$: NT_STATUS_ACCESS_DENIED

I've attached the LDAP (slapd) log generated during the operation as well as the server's smb.conf file.
Comment 1 Peter Matulis 2011-12-07 17:47:10 UTC 
Created attachment 7165 [details]
smb.conf
Comment 2 Peter Matulis 2011-12-07 17:48:17 UTC 
Created attachment 7166 [details]
slapd syslog
Comment 3 Peter Matulis 2011-12-21 16:06:28 UTC 
I neglected to state that the weird thing about this is that *sometimes* the 'net rpc join' command will NOT return an error message.  Most of the time however the error message appears.