Bug 9069 - clients cannot join DC (ACCESS DENIED) on configuration that worked before
clients cannot join DC (ACCESS DENIED) on configuration that worked before
Status: NEW
Product: Samba 3.6
Classification: Unclassified
Component: Domain Control
3.6.6
All All
: P5 normal
: ---
Assigned To: Guenther Deschner
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-28 13:24 UTC by docker
Modified: 2012-08-06 09:14 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description docker 2012-07-28 13:24:12 UTC
Hello,

There are Samba and OpenLDAP servers on FreeBSD. Configurations was not changed for several years and everything worked. From time to time software was updated of course. 

Now I need to join new computers (actually reinstalled), and Samba DC refuses to add them. It did not work with 3.6.5, then I updated it to 3.6.6 and result is the same.

These lines from log.smbd related to these issue:

-----------------------------------------------------------------------------
[2012/07/28 15:56:30.218624,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       netr_ServerAuthenticate: struct netr_ServerAuthenticate
          in: struct netr_ServerAuthenticate
              server_name              : *
                  server_name              : '\\LAB'
              account_name             : *
                  account_name             : 'ABC-10$'
              secure_channel_type      : SEC_CHAN_WKSTA (2)
              computer_name            : *
                  computer_name            : 'ABC-10'
              credentials              : *
                  credentials: struct netr_Credential
                      data                     : 1a70e6834f73ff70
[2012/07/28 15:56:30.218709,  0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate: no challenge sent to client ABC-10
[2012/07/28 15:56:30.218724,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       netr_ServerAuthenticate: struct netr_ServerAuthenticate
          out: struct netr_ServerAuthenticate
              return_credentials       : *
                  return_credentials: struct netr_Credential
                      data                     : 0000000000000000
              result                   : NT_STATUS_ACCESS_DENIED
[2012/07/28 15:56:30.218789,  5] rpc_server/srv_pipe.c:1679(api_rpcTNP)
  api_rpcTNP: called \netlogon successfully
-----------------------------------------------------------------------------

and

-----------------------------------------------------------------------------
[2012/07/28 15:56:31.253490,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       samr_OpenDomain: struct samr_OpenDomain
          in: struct samr_OpenDomain
              connect_handle           : *
                  connect_handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     : 00000010-0000-0000-1350-7fe151630000
              access_mask              : 0x00000211 (529)
                     1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
                     0: SAMR_DOMAIN_ACCESS_SET_INFO_1
                     0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
                     0: SAMR_DOMAIN_ACCESS_SET_INFO_2
                     1: SAMR_DOMAIN_ACCESS_CREATE_USER
                     0: SAMR_DOMAIN_ACCESS_CREATE_GROUP
                     0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS
                     0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
                     0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
                     1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
                     0: SAMR_DOMAIN_ACCESS_SET_INFO_3
              sid                      : *
                  sid                      : S-1-5-21-610032424-962248149-385347502
[2012/07/28 15:56:31.253627,  4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal)
  Found policy hnd[0] [0000] 00 00 00 00 10 00 00 00   00 00 00 00 13 50 7F E1   ........ .....P..
  [0010] 51 63 00 00                                       Qc.. 
[2012/07/28 15:56:31.253672, 10] rpc_server/rpc_handles.c:410(_policy_handle_find)
  found handle of type struct samr_connect_info
[2012/07/28 15:56:31.253691,  4] rpc_server/srv_access_check.c:104(access_check_object)
  _samr_OpenDomain: access DENIED (requested: 0x00000211, granted: 0x00000010)
[2012/07/28 15:56:31.253707,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       samr_OpenDomain: struct samr_OpenDomain
          out: struct samr_OpenDomain
              domain_handle            : *
                  domain_handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     : 00000000-0000-0000-0000-000000000000
              result                   : NT_STATUS_ACCESS_DENIED
[2012/07/28 15:56:31.253762,  5] rpc_server/srv_pipe.c:1679(api_rpcTNP)
  api_rpcTNP: called \samr successfully
-----------------------------------------------------------------------------

Additional info: Samba DC allows computers to exit from the domain (and then they cannot join the domain), it also allows to access shares using domain administrator login and already joined computers work correctly.

This is smb.conf (I just renamed domain name, server name and removed interfaces addresses and host addresses):

[global]
    netbios name = LABSERVER
    workgroup = LAB
    server string = LABSERVER Samba Server
    interfaces = ...
    bind interfaces only = yes
    security = user
    os level = 255
    domain master = yes
    local master = yes
    preferred master = yes
    hosts allow = ...
    load printers = no
    printcap cache time = 0
    domain logons = yes
    ldap ssl = no
    passdb backend = ldapsam:ldapi:///
    ldap suffix = o=lab
    ldap user suffix = ou=users
    ldap group suffix = ou=groups
    ldap machine suffix = ou=users
    ldap admin dn = "cn=manager,o=lab"
    ldap delete dn = no
    ldap passwd sync = yes
    private dir = /usr/local/etc/samba

    guest account = guest
    max log size = 50000
    log level = 10

    follow symlinks = no

    unix charset = koi8-r
    dos charset = CP866

    socket options=SO_RCVBUF=131072 SO_SNDBUF=131072 TCP_NODELAY
    min receivefile size=16384
    use sendfile=true
    aio read size = 16384
    aio write size = 16384

[install]
    comment = Install
    path = /home/install
    read only = yes
    guest ok = yes

[netlogon]
    path = /usr/local/etc/samba.netlogon
    writeable = no
    guest ok = no
    browseable = no
    available = yes

[homes]
    browseable = no
    writeable = yes
    path = %H/.Windows/home

[profiles]
    browsable = no
    guest ok = yes
    writeable = yes
    path = %H/.Windows/profile

[share]
    comment = Share
    path = /home/edu/share
    writeable = yes
    guest ok = yes
    inherit permissions = yes
    force user = smbshare
    force group = smbshare

According to slapd logs I do not see any errors (also I tried to enable read/write access to LDAP base for everyone).
Comment 1 docker 2012-07-30 12:33:39 UTC
I managed to join computers to Samba DC again. All my users are kept in the LDAP database and since I keep backups of my LDAP database I can explain the situation.

There is the winadmin user, that belong to the wingroup group (this group GID is specified in winadmin's gidNumber field, this is a usual group) and also winadmin is listed in "cn=Domain Admins" (gidNumber=512) in memberUId field. I use this login name to join XP computers to DC. Such configuration worked before.

Now I changed winadmin's gidNumber to 512 ("cn=Domain Admins") and XP computers again can join DC.

[2012/07/30 15:24:23.105228,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       samr_OpenDomain: struct samr_OpenDomain
          in: struct samr_OpenDomain
              connect_handle           : *
                  connect_handle: struct policy_handle
                      handle_type              : 0x00000000 (0)
                      uuid                     : 0000000e-0000-0000-1650-f77cc8760100
              access_mask              : 0x00000211 (529)
                     1: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_1
                     0: SAMR_DOMAIN_ACCESS_SET_INFO_1
                     0: SAMR_DOMAIN_ACCESS_LOOKUP_INFO_2
                     0: SAMR_DOMAIN_ACCESS_SET_INFO_2
                     1: SAMR_DOMAIN_ACCESS_CREATE_USER
                     0: SAMR_DOMAIN_ACCESS_CREATE_GROUP
                     0: SAMR_DOMAIN_ACCESS_CREATE_ALIAS
                     0: SAMR_DOMAIN_ACCESS_LOOKUP_ALIAS
                     0: SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS
                     1: SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT
                     0: SAMR_DOMAIN_ACCESS_SET_INFO_3
              sid                      : *
                  sid                      : S-1-5-21-610032424-962248149-385347502
[2012/07/30 15:24:23.105401,  4] rpc_server/rpc_handles.c:232(find_policy_by_hnd_internal)
  Found policy hnd[0] [0000] 00 00 00 00 0E 00 00 00   00 00 00 00 16 50 F7 7C   ........ .....P.|
  [0010] C8 76 01 00                                       .v.. 
[2012/07/30 15:24:23.105457, 10] rpc_server/rpc_handles.c:410(_policy_handle_find)
  found handle of type struct samr_connect_info
[2012/07/30 15:24:23.105477,  4] rpc_server/srv_access_check.c:104(access_check_object)
  _samr_OpenDomain: access GRANTED (requested: 0x00000211, granted: 0x00000211)

Can somebody comment this?
Comment 2 Andreas Schneider 2012-07-30 13:00:24 UTC
In the description I guess there was already an ACCESS_DENIED earlier but the client ignored it.
Comment 3 docker 2012-07-30 14:33:09 UTC
Looks like that
Comment 4 docker 2012-07-30 14:53:48 UTC
(In reply to comment #2)
> In the description I guess there was already an ACCESS_DENIED earlier but the
> client ignored it.

That log messages were from Samba 3.6.6 and clients that could not join the domain, so I'm not sure which clients ignored ACCESS_DENIED.

I updated the title of this bug report, since previously "net rpc join ..." also did not work, now I can join the domain from another FreeBSD system using this command as well.

Looks like that starting from some Samba version the login name used on a client computer to join the domain should have GID 512 in its gidNumber field in the LDAP database. Previously it was enough to add such user to group with GID 512 ("cn=Domain Admins" in LDAP).
Comment 5 Andreas Schneider 2012-07-30 15:29:55 UTC
We need more details from the log. The two snippets you posted aren't enough to understand the problem.

The first question is why there is no challenge sent and the reason is probably in the lines above the first snippet.

The second is that the user doesn't have enough rights to join the domain. As you didn't post any information about the user here, we don't see the user token with the sids we don't know what's really going on.

Here is a howto of information we normally need to be able to understand a problem.

SAMBA BUG REPORTING
++++++++++++++++++++

This is a small howto to help you to provide all information which are needed
to find out what's going on your machine. This is a general howto so maybe it
will cover more things you don't use.

Providing Samba log files
==========================

Post the output of 'rpm -qi samba' or 'rpm -qi samba-<subpackage>' if you're on
a RPM based system. It gives detailed information about the installed packages.
We need that information to reconstruct what happened and possibly to reproduce
the bug on our machines.

Provide all log files from '/var/log/samba/' directory and the tdb files from
'/var/lib/samba' and the configuration file '/etc/samba/smb.conf'.

If winbind for logging in is part of the problem please provide
'/etc/security/pam_winbind.conf' and if you have enabled debug in
'pam_winbind.conf' '/var/log/messages' or '/var/log/secure' is required too.

More detailed description about different Samba components can be found below
this section.

Providing backtraces
=====================

If you discover a crash in one of the Samba components, please make sure that
you have installed debuginfo packages. Often the backtrace can be found in the
log files. If you have installed debuginfo packages, you can find a short
backtrace in the log files and a few lines later the full backtrace. Make sure
you provide the full backtrace.

Testing daemons (winbind, smb, nmb)
====================================

1. Stop all running Samba processes (winbind, smb, nmb)

2. Remove all log files from /var/log/samba/

    With this approach we ensure to have the start date of the testing in the
    log files.

3. Edit /etc/samba/smb.conf and set the following variables in the in the
   [general] section of the config:

     debug level = 10
     debug pid = true
     max log size = 0

    Instead of setting a global debug level in smb.conf it's also visible to
    use

     smbcontrol <damon_name> debug 10

    to increase the debug level of the Samba daemon in question to 10 at run
    time.

    If winbind is part of the scenario edit /etc/security/pam_winbind.conf
    and set:

     debug = yes

4. Start the processes again (winbind, smb, nmb)

5. Reproduce the error and note the time when you start any test. If a problem
   occurs while testing note the time (use date on the system you perform the
   tests on to get a time fitting to the log files).

Attach the log files from '/var/log/samba/' and the tdb files from
'/var/lib/samba/' to the bug. If possible, remove the tdb files and provide clean
files. Therefore it's best to bond them to one compressed tar archive. The
relevant parts of '/var/log/messages' could be interesting too.

Network traces
===============

If possible create network traces with tcpdump or wireshark from the problem and
attach them too. Always make sure to capture only one problem per network trace
file. This makes it easier to understand the problem.

tcpdump -n -i eth0 -s 0 -w samba-problem-description.pcap

Network topology
=================

If you have a special network setup especially with Active Domain controllers
please describe how you're network looks like and what the domain names are.

Tell us which version of Windows you're using and which functional level of AD.
Comment 6 docker 2012-07-30 17:37:27 UTC
(In reply to comment #5)
> We need more details from the log. The two snippets you posted aren't enough to
> understand the problem.
> 
> The first question is why there is no challenge sent and the reason is probably
> in the lines above the first snippet.
> 

Ok, that log was removed, so I reproduce it (real domain, server and client names were changed, in previous message I incorrectly changed server_name to \\LAB, it should be \\LABSERVER):

-------------------------------------------------------------------
[2012/07/30 20:14:32.623695, 10] ../lib/util/util.c:415(dump_data)
  [0000] 00 5C 00 4E 00 45 00 54   00 4C 00 4F 00 47 00 4F   .\.N.E.T .L.O.G.O
  [0010] 00 4E 00 00 00                                    .N... 
[2012/07/30 20:14:32.623742,  3] smbd/process.c:1467(switch_message)
  switch message SMBntcreateX (pid 1956) conn 0x804808450
[2012/07/30 20:14:32.623758,  4] smbd/uid.c:351(change_to_user)
  Skipping user change - already user
[2012/07/30 20:14:32.623777, 10] smbd/nttrans.c:505(reply_ntcreate_and_X)
  reply_ntcreate_and_X: flags = 0x16, access_mask = 0x2019f file_attributes = 0x0, share_access = 0x3, create_disposition = 0x1 create_options = 0x400040 root_dir_fid = 0x0, fname = NETLOGON
[2012/07/30 20:14:32.623798,  4] smbd/nttrans.c:293(nt_open_pipe)
  nt_open_pipe: Opening pipe \NETLOGON.
[2012/07/30 20:14:32.623818,  5] smbd/files.c:140(file_new)
  allocated file structure 12415, fnum = 16511 (2 used)
[2012/07/30 20:14:32.623837, 10] smbd/files.c:705(file_name_hash)
  file_name_hash: /var/tmp/NETLOGON hash 0x171defb0
[2012/07/30 20:14:32.623858,  4] rpc_server/rpc_ncacn_np.c:132(make_internal_rpc_pipe_p)
  Create pipe requested \netlogon
[2012/07/30 20:14:32.623878, 10] rpc_server/rpc_handles.c:116(init_pipe_handles)
  init_pipe_handle_list: created handle list for pipe \netlogon
[2012/07/30 20:14:32.623894, 10] rpc_server/rpc_handles.c:133(init_pipe_handles)
  init_pipe_handle_list: pipe_handles ref count = 1 for pipe \netlogon
[2012/07/30 20:14:32.623918,  4] rpc_server/rpc_ncacn_np.c:176(make_internal_rpc_pipe_p)
  Created internal pipe \netlogon (pipes_open=0)
[2012/07/30 20:14:32.623935,  5] smbd/nttrans.c:382(do_ntcreate_pipe_open)
  do_ntcreate_pipe_open: open pipe = \NETLOGON
[2012/07/30 20:14:32.624172, 10] lib/util_sock.c:519(read_smb_length_return_keepalive)
  got smb length of 136
[2012/07/30 20:14:32.624193,  6] smbd/process.c:1660(process_smb)
  got message type 0x0 of len 0x88
[2012/07/30 20:14:32.624209,  3] smbd/process.c:1662(process_smb)
  Transaction 25 of length 140 (0 toread)
[2012/07/30 20:14:32.624224,  5] lib/util.c:332(show_msg)
[2012/07/30 20:14:32.624234,  5] lib/util.c:342(show_msg)
  size=136
  smb_com=0x2f
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=24
  smb_flg2=51207
  smb_tid=1
  smb_pid=65279
  smb_uid=100
  smb_mid=1600
  smt_wct=14
  smb_vwv[ 0]=  255 (0xFF)
  smb_vwv[ 1]=57054 (0xDEDE)
  smb_vwv[ 2]=16511 (0x407F)
  smb_vwv[ 3]=    0 (0x0)
  smb_vwv[ 4]=    0 (0x0)
  smb_vwv[ 5]=65535 (0xFFFF)
  smb_vwv[ 6]=65535 (0xFFFF)
  smb_vwv[ 7]=    8 (0x8)
  smb_vwv[ 8]=   72 (0x48)
  smb_vwv[ 9]=    0 (0x0)
  smb_vwv[10]=   72 (0x48)
  smb_vwv[11]=   64 (0x40)
  smb_vwv[12]=    0 (0x0)
  smb_vwv[13]=    0 (0x0)
  smb_bcc=73
[2012/07/30 20:14:32.624369, 10] ../lib/util/util.c:415(dump_data)
  [0000] EE 05 00 0B 03 10 00 00   00 48 00 00 00 01 00 00   ........ .H......
  [0010] 00 B8 10 B8 10 00 00 00   00 01 00 00 00 00 00 01   ........ ........
  [0020] 00 78 56 34 12 34 12 CD   AB EF 00 01 23 45 67 CF   .xV4.4.. ....#Eg.
  [0030] FB 01 00 00 00 04 5D 88   8A EB 1C C9 11 9F E8 08   ......]. ........
  [0040] 00 2B 10 48 60 02 00 00   00                       .+.H`... .
[2012/07/30 20:14:32.624480,  3] smbd/process.c:1467(switch_message)
  switch message SMBwriteX (pid 1956) conn 0x804808450
[2012/07/30 20:14:32.624496,  4] smbd/uid.c:351(change_to_user)
  Skipping user change - already user
[2012/07/30 20:14:32.624512,  6] smbd/pipes.c:300(reply_pipe_write_and_X)
  reply_pipe_write_and_X: 407f name: NETLOGON len: 72
[2012/07/30 20:14:32.624529,  6] rpc_server/srv_pipe_hnd.c:520(np_write_send)
  np_write_send: len: 72
[2012/07/30 20:14:32.624545, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe)
  write_to_pipe: data_left = 72
[2012/07/30 20:14:32.624560, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data)
  process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 72
[2012/07/30 20:14:32.624575, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header)
  fill_rpc_header: data_to_copy = 72, len_needed_to_complete_hdr = 16, receive_len = 0
[2012/07/30 20:14:32.624591, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe)
  write_to_pipe: data_used = 16
[2012/07/30 20:14:32.624606, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe)
  write_to_pipe: data_left = 56
[2012/07/30 20:14:32.624621, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data)
  process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 56
[2012/07/30 20:14:32.624637, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe)
  write_to_pipe: data_used = 0
[2012/07/30 20:14:32.624652, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe)
  write_to_pipe: data_left = 56
[2012/07/30 20:14:32.624667, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data)
  process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 56, incoming data = 56
[2012/07/30 20:14:32.624683, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu)
  PDU is in Little Endian format!
[2012/07/30 20:14:32.624701,  1] ../librpc/ndr/ndr.c:247(ndr_print_debug)
       r: struct ncacn_packet
          rpc_vers                 : 0x05 (5)
          rpc_vers_minor           : 0x00 (0)
          ptype                    : DCERPC_PKT_BIND (11)
          pfc_flags                : 0x03 (3)
          drep: ARRAY(4)
              [0]                      : 0x10 (16)
              [1]                      : 0x00 (0)
              [2]                      : 0x00 (0)
              [3]                      : 0x00 (0)
          frag_length              : 0x0048 (72)
          auth_length              : 0x0000 (0)
          call_id                  : 0x00000001 (1)
          u                        : union dcerpc_payload(case 11)
          bind: struct dcerpc_bind
              max_xmit_frag            : 0x10b8 (4280)
              max_recv_frag            : 0x10b8 (4280)
              assoc_group_id           : 0x00000000 (0)
              num_contexts             : 0x01 (1)
              ctx_list: ARRAY(1)
                  ctx_list: struct dcerpc_ctx_list
                      context_id               : 0x0000 (0)
                      num_transfer_syntaxes    : 0x01 (1)
                      abstract_syntax: struct ndr_syntax_id
                          uuid                     : 12345678-1234-abcd-ef00-01234567cffb
                          if_version               : 0x00000001 (1)
                      transfer_syntaxes: ARRAY(1)
                          transfer_syntaxes: struct ndr_syntax_id
                              uuid                     : 8a885d04-1ceb-11c9-9fe8-08002b104860
                              if_version               : 0x00000002 (2)
              auth_info                : DATA_BLOB length=0
[2012/07/30 20:14:32.624926, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu)
  Processing packet type 11
[2012/07/30 20:14:32.624942,  3] rpc_server/srv_pipe.c:889(api_pipe_bind_req)
  api_pipe_bind_req: \PIPE\netlogon -> \PIPE\netlogon
[2012/07/30 20:14:32.624959,  5] rpc_server/srv_pipe.c:923(api_pipe_bind_req)
  api_pipe_bind_req: make response. 923
[2012/07/30 20:14:32.624974,  3] rpc_server/srv_pipe.c:339(check_bind_req)
  check_bind_req for \netlogon
[2012/07/30 20:14:32.624990,  3] rpc_server/srv_pipe.c:346(check_bind_req)
  check_bind_req: \PIPE\netlogon -> \PIPE\netlogon
[2012/07/30 20:14:32.625011,  1] ../librpc/ndr/ndr.c:247(ndr_print_debug)
       &r: struct ncacn_packet
          rpc_vers                 : 0x05 (5)
          rpc_vers_minor           : 0x00 (0)
          ptype                    : DCERPC_PKT_BIND_ACK (12)
          pfc_flags                : 0x03 (3)
          drep: ARRAY(4)
              [0]                      : 0x10 (16)
              [1]                      : 0x00 (0)
              [2]                      : 0x00 (0)
              [3]                      : 0x00 (0)
          frag_length              : 0x0048 (72)
          auth_length              : 0x0000 (0)
          call_id                  : 0x00000001 (1)
          u                        : union dcerpc_payload(case 12)
          bind_ack: struct dcerpc_bind_ack
              max_xmit_frag            : 0x10b8 (4280)
              max_recv_frag            : 0x10b8 (4280)
              assoc_group_id           : 0x000053f0 (21488)
              secondary_address_size   : 0x000f (15)
              secondary_address        : '\PIPE\netlogon'
              _pad1                    : DATA_BLOB length=0
              num_results              : 0x01 (1)
              ctx_list: ARRAY(1)
                  ctx_list: struct dcerpc_ack_ctx
                      result                   : 0x0000 (0)
                      reason                   : 0x0000 (0)
                      syntax: struct ndr_syntax_id
                          uuid                     : 8a885d04-1ceb-11c9-9fe8-08002b104860
                          if_version               : 0x00000002 (2)
              auth_info                : DATA_BLOB length=0
[2012/07/30 20:14:32.625218, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe)
  write_to_pipe: data_used = 56
[2012/07/30 20:14:32.625238,  3] smbd/pipes.c:361(pipe_write_andx_done)
  writeX-IPC nwritten=72
[2012/07/30 20:14:32.625407, 10] lib/util_sock.c:519(read_smb_length_return_keepalive)
  got smb length of 59
[2012/07/30 20:14:32.625429,  6] smbd/process.c:1660(process_smb)
  got message type 0x0 of len 0x3b
[2012/07/30 20:14:32.625445,  3] smbd/process.c:1662(process_smb)
  Transaction 26 of length 63 (0 toread)
[2012/07/30 20:14:32.625460,  5] lib/util.c:332(show_msg)
[2012/07/30 20:14:32.625470,  5] lib/util.c:342(show_msg)
  size=59
  smb_com=0x2e
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=24
  smb_flg2=51207
  smb_tid=1
  smb_pid=65279
  smb_uid=100
  smb_mid=1664
  smt_wct=12
  smb_vwv[ 0]=  255 (0xFF)
  smb_vwv[ 1]=57054 (0xDEDE)
  smb_vwv[ 2]=16511 (0x407F)
  smb_vwv[ 3]=    0 (0x0)
  smb_vwv[ 4]=    0 (0x0)
  smb_vwv[ 5]= 1024 (0x400)
  smb_vwv[ 6]= 1024 (0x400)
  smb_vwv[ 7]=65535 (0xFFFF)
  smb_vwv[ 8]=65535 (0xFFFF)
  smb_vwv[ 9]= 1024 (0x400)
  smb_vwv[10]=    0 (0x0)
  smb_vwv[11]=    0 (0x0)
  smb_bcc=0
[2012/07/30 20:14:32.625590, 10] ../lib/util/util.c:415(dump_data)
[2012/07/30 20:14:32.625601,  3] smbd/process.c:1467(switch_message)
  switch message SMBreadX (pid 1956) conn 0x804808450
[2012/07/30 20:14:32.625617,  4] smbd/uid.c:351(change_to_user)
  Skipping user change - already user
[2012/07/30 20:14:32.625633,  6] rpc_server/srv_pipe_hnd.c:284(read_from_internal_pipe)
   name: \netlogon len: 1024
[2012/07/30 20:14:32.625650, 10] rpc_server/srv_pipe_hnd.c:325(read_from_internal_pipe)
  read_from_pipe: \netlogon: current_pdu_len = 72, current_pdu_sent = 0 returning 72 bytes.
[2012/07/30 20:14:32.625667,  3] rpc_server/srv_pipe_hnd.c:121(free_pipe_context)
  free_pipe_context: destroying talloc pool of size 27
[2012/07/30 20:14:32.625686, 10] rpc_server/srv_pipe_hnd.c:788(np_read_recv)
  Received 72 bytes. There is no more data outstanding
[2012/07/30 20:14:32.625702,  3] smbd/pipes.c:485(pipe_read_andx_done)
  readX-IPC min=1024 max=1024 nread=72
[2012/07/30 20:14:32.626313, 10] lib/util_sock.c:519(read_smb_length_return_keepalive)
  got smb length of 208
[2012/07/30 20:14:32.626338,  6] smbd/process.c:1660(process_smb)
  got message type 0x0 of len 0xd0
[2012/07/30 20:14:32.626355,  3] smbd/process.c:1662(process_smb)
  Transaction 27 of length 212 (0 toread)
[2012/07/30 20:14:32.626370,  5] lib/util.c:332(show_msg)
[2012/07/30 20:14:32.626381,  5] lib/util.c:342(show_msg)
  size=208
  smb_com=0x25
  smb_rcls=0
  smb_reh=0
  smb_err=0
  smb_flg=24
  smb_flg2=51207
  smb_tid=1
  smb_pid=892
  smb_uid=100
  smb_mid=1728
  smt_wct=16
  smb_vwv[ 0]=    0 (0x0)
  smb_vwv[ 1]=  124 (0x7C)
  smb_vwv[ 2]=    0 (0x0)
  smb_vwv[ 3]= 1024 (0x400)
  smb_vwv[ 4]=    0 (0x0)
  smb_vwv[ 5]=    0 (0x0)
  smb_vwv[ 6]=    0 (0x0)
  smb_vwv[ 7]=    0 (0x0)
  smb_vwv[ 8]=    0 (0x0)
  smb_vwv[ 9]=    0 (0x0)
  smb_vwv[10]=   84 (0x54)
  smb_vwv[11]=  124 (0x7C)
  smb_vwv[12]=   84 (0x54)
  smb_vwv[13]=    2 (0x2)
  smb_vwv[14]=   38 (0x26)
  smb_vwv[15]=16511 (0x407F)
  smb_bcc=141
[2012/07/30 20:14:32.626520, 10] ../lib/util/util.c:415(dump_data)
[2012/07/30 20:14:32.626716,  3] smbd/process.c:1467(switch_message)
  switch message SMBtrans (pid 1956) conn 0x804808450
[2012/07/30 20:14:32.626732,  4] smbd/uid.c:351(change_to_user)
  Skipping user change - already user
[2012/07/30 20:14:32.626749,  3] smbd/ipc.c:560(handle_trans)
  trans <\PIPE\> data=124 params=0 setup=2
[2012/07/30 20:14:32.626767,  5] smbd/ipc.c:593(handle_trans)
  calling named_pipe
[2012/07/30 20:14:32.626782,  3] smbd/ipc.c:511(named_pipe)
  named pipe command on <> name
[2012/07/30 20:14:32.626797,  5] smbd/ipc.c:434(api_fd_reply)
  api_fd_reply
[2012/07/30 20:14:32.626812,  3] smbd/ipc.c:475(api_fd_reply)
  Got API command 0x26 on pipe "NETLOGON" (pnum 407f)
[2012/07/30 20:14:32.626828, 10] smbd/ipc.c:477(api_fd_reply)
  api_fd_reply: p:0x804845910 max_trans_reply: 1024
[2012/07/30 20:14:32.626843,  6] rpc_server/srv_pipe_hnd.c:520(np_write_send)
  np_write_send: len: 124
[2012/07/30 20:14:32.626859, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe)
  write_to_pipe: data_left = 124
[2012/07/30 20:14:32.626874, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data)
  process_incoming_data: Start: pdu.length = 0, pdu_needed_len = 0, incoming data = 124
[2012/07/30 20:14:32.626890, 10] rpc_server/srv_pipe_hnd.c:50(fill_rpc_header)
  fill_rpc_header: data_to_copy = 124, len_needed_to_complete_hdr = 16, receive_len = 0
[2012/07/30 20:14:32.626906, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe)
  write_to_pipe: data_used = 16
[2012/07/30 20:14:32.626921, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe)
  write_to_pipe: data_left = 108
[2012/07/30 20:14:32.626936, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data)
  process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 0, incoming data = 108
[2012/07/30 20:14:32.626952, 10] rpc_server/srv_pipe_hnd.c:247(write_to_internal_pipe)
  write_to_pipe: data_used = 0
[2012/07/30 20:14:32.626967, 10] rpc_server/srv_pipe_hnd.c:242(write_to_internal_pipe)
  write_to_pipe: data_left = 108
[2012/07/30 20:14:32.626982, 10] rpc_server/srv_pipe_hnd.c:138(process_incoming_data)
  process_incoming_data: Start: pdu.length = 16, pdu_needed_len = 108, incoming data = 108
[2012/07/30 20:14:32.626998, 10] rpc_server/srv_pipe.c:1877(process_complete_pdu)
  PDU is in Little Endian format!
[2012/07/30 20:14:32.627015,  1] ../librpc/ndr/ndr.c:247(ndr_print_debug)
       r: struct ncacn_packet
          rpc_vers                 : 0x05 (5)
          rpc_vers_minor           : 0x00 (0)
          ptype                    : DCERPC_PKT_REQUEST (0)
          pfc_flags                : 0x03 (3)
          drep: ARRAY(4)
              [0]                      : 0x10 (16)
              [1]                      : 0x00 (0)
              [2]                      : 0x00 (0)
              [3]                      : 0x00 (0)
          frag_length              : 0x007c (124)
          auth_length              : 0x0000 (0)
          call_id                  : 0x00000001 (1)
          u                        : union dcerpc_payload(case 0)
          request: struct dcerpc_request
              alloc_hint               : 0x00000064 (100)
              context_id               : 0x0000 (0)
              opnum                    : 0x0005 (5)
              object                   : union dcerpc_object(case 0)
              empty: struct dcerpc_empty
              _pad                     : DATA_BLOB length=0
              stub_and_verifier        : DATA_BLOB length=100
[2012/07/30 20:14:32.627380, 10] rpc_server/srv_pipe.c:1890(process_complete_pdu)
  Processing packet type 0
[2012/07/30 20:14:32.627395, 10] rpc_server/srv_pipe.c:1734(dcesrv_auth_request)
  Checking request auth.
[2012/07/30 20:14:32.627411,  5] rpc_server/srv_pipe.c:1571(api_pipe_request)
  Requested \PIPE\\netlogon
[2012/07/30 20:14:32.627427,  4] rpc_server/srv_pipe.c:1611(api_rpcTNP)
  api_rpcTNP: \netlogon op 0x5 - api_rpcTNP: rpc command: NETR_SERVERAUTHENTICATE
[2012/07/30 20:14:32.627444,  6] rpc_server/srv_pipe.c:1645(api_rpcTNP)
  api_rpc_cmds[5].fn == 0x12b59a0
[2012/07/30 20:14:32.627463,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       netr_ServerAuthenticate: struct netr_ServerAuthenticate
          in: struct netr_ServerAuthenticate
              server_name              : *
                  server_name              : '\\LABSERVER'
              account_name             : *
                  account_name             : 'ABC-10$'
              secure_channel_type      : SEC_CHAN_WKSTA (2)
              computer_name            : *
                  computer_name            : 'ABC-10'
              credentials              : *
                  credentials: struct netr_Credential
                      data                     : b135a86043435ad7
[2012/07/30 20:14:32.627556,  0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate: no challenge sent to client ABC-10
[2012/07/30 20:14:32.627572,  1] ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
       netr_ServerAuthenticate: struct netr_ServerAuthenticate
          out: struct netr_ServerAuthenticate
              return_credentials       : *
                  return_credentials: struct netr_Credential
                      data                     : 0000000000000000
              result                   : NT_STATUS_ACCESS_DENIED
[2012/07/30 20:14:32.627624,  5] rpc_server/srv_pipe.c:1679(api_rpcTNP)
  api_rpcTNP: called \netlogon successfully
-------------------------------------------------------------------

> The second is that the user doesn't have enough rights to join the domain. As
> you didn't post any information about the user here, we don't see the user
> token with the sids we don't know what's really going on.

I use the winadmin user to join the domain.

This is data for winadmin I used before (now it does not work):

-------------------------------------------------------------------
dn: uid=winadmin,ou=users,o=lab
cn: winadmin
sn: winadmin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 1994
uid: winadmin
uidNumber: 1995
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomeDrive: Z:
sambaPrimaryGroupSID: S-1-5-21-610032424-962248149-385347502-512
sambaSID: S-1-5-21-610032424-962248149-385347502-4990
loginShell: /bin/false
gecos: Netbios Domain Administrator
structuralObjectClass: inetOrgPerson
entryUUID: c1d6b6d4-01f9-102c-9adc-e9f7b20c961c
creatorsName: cn=manager,o=lab
createTimestamp: 20070928103146Z
sambaProfilePath: \\LABSERVER\profiles
sambaHomePath: \\LABSERVER\homes
homeDirectory: /home/edu/winadmin
sambaLMPassword: 38F3D7FF7B53984D8EB62CE4BD5331F5
sambaAcctFlags: [U]
sambaNTPassword: 45D8E9629F811BFE93E76C93F4A2810D
sambaPwdLastSet: 1227896575
sambaPwdMustChange: 2091896575
userPassword:: e1NTSEF9d2huV1RRYnFZblZTbGxaRzlwcHpXa3Vub1hadEx6a3c=
shadowLastChange: 14211
shadowMax: 10000
entryCSN: 20081128182256Z#000000#00#000000
modifiersName: cn=manager,o=lab
modifyTimestamp: 20081128182256Z

dn: cn=Domain Admins,ou=groups,o=lab
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: winadmin
description: Netbios Domain Administrators
sambaSID: S-1-5-21-610032424-962248149-385347502-512
sambaGroupType: 2
displayName: Domain Admins
structuralObjectClass: posixGroup
entryUUID: c1dc9af4-01f9-102c-9ade-e9f7b20c961c
creatorsName: cn=manager,o=lab
createTimestamp: 20070928103146Z
entryCSN: 20070928103146Z#000003#00#000000
modifiersName: cn=manager,o=lab
modifyTimestamp: 20070928103146Z

dn: cn=wingroup,ou=groups,o=lab
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
cn: wingroup
gidNumber: 1994
structuralObjectClass: posixGroup
entryUUID: b632961c-01fa-102c-9967-a1ca547b88c8
creatorsName: cn=manager,o=lab
createTimestamp: 20070928103836Z
sambaSID: S-1-5-21-610032424-962248149-385347502-4989
sambaGroupType: 2
displayName: wingroup
entryCSN: 20070928103836Z#000001#00#000000
modifiersName: cn=manager,o=lab
modifyTimestamp: 20070928103836Z
-------------------------------------------------------------------

This is data for winadmin I use now (only password was changed and group ID):

-------------------------------------------------------------------
dn: uid=winadmin,ou=users,o=lab
cn: winadmin
sn: winadmin
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
uid: winadmin
uidNumber: 1995
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomeDrive: Z:
sambaPrimaryGroupSID: S-1-5-21-610032424-962248149-385347502-512
sambaSID: S-1-5-21-610032424-962248149-385347502-4990
loginShell: /bin/false
gecos: Netbios Domain Administrator
structuralObjectClass: inetOrgPerson
entryUUID: c1d6b6d4-01f9-102c-9adc-e9f7b20c961c
creatorsName: cn=manager,o=lab
createTimestamp: 20070928103146Z
sambaProfilePath: \\LABSERVER\profiles
sambaHomePath: \\LABSERVER\homes
homeDirectory: /home/edu/winadmin
sambaAcctFlags: [U]
sambaPwdMustChange: 2091896575
shadowLastChange: 14211
shadowMax: 10000
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
 00000000
userPassword:: e1NTSEF9dFAwVXk5b1FGaGZZNVlnWElPa3NQUzZPNlBSNHNGV3U=
sambaNTPassword: FD4CBBD49F64593C332EE19ED863DFBC
sambaPwdLastSet: 1343643200
gidNumber: 512
entryCSN: 20120730120853Z#000000#00#000000
modifiersName: cn=manager,o=lab
modifyTimestamp: 20120730120853Z

dn: cn=Domain Admins,ou=groups,o=lab
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: winadmin
description: Netbios Domain Administrators
sambaSID: S-1-5-21-610032424-962248149-385347502-512
sambaGroupType: 2
displayName: Domain Admins
structuralObjectClass: posixGroup
entryUUID: c1dc9af4-01f9-102c-9ade-e9f7b20c961c
creatorsName: cn=manager,o=lab
createTimestamp: 20070928103146Z
entryCSN: 20070928103146Z#000003#00#000000
modifiersName: cn=manager,o=lab
modifyTimestamp: 20070928103146Z
-------------------------------------------------------------------

Now it everything works as before, but this require to change gidNumber for the winadmin user, before this was not needed.
Comment 7 Andreas Schneider 2012-08-03 07:29:46 UTC
To which group belonged the user "winadmin" before and how was it tight to "Domain Administrator" group. You're talking about a group named "wingroup" what kind of group is this?

What's the primary group of winadmin?
Comment 8 Andreas Schneider 2012-08-03 07:32:22 UTC
s/tight/tied/ :)
Comment 9 docker 2012-08-06 09:14:35 UTC
Before: user widadmin had primary group wingroup (just a group without any special privileges) and winadmin was listed in memberUid in "Domain Admins". This configuration works and winadmin login was used on XP to join computers to the domain.

Now: user winadmin had primary group "Domain Admins" and is not listed in any other group. And this configuration allows to use winadmin login on XP computers to join them to the domain.

I cannot tell starting from which version of Samba my previous configuration (used for several years) did not allow to join XP computers to the domain, I update Samba from time to time and has to re-join XP computers each year.