Hi! I did a new vampire on the NT4 and gott the accounts, I get an error saying "Could not find unix group 513" even though I have that group after running smbldap-populate prior to vampire. This does'nt seem to effect the creation of machine account because the machine account are there when I do a search. The problem now seems to be that the credential challenge is failing. The error log in samba says The part where I think it fails:
[2007/01/26 14:21:00, 10] passdb/pdb_get_set.c:pdb_set_user_sid(544) pdb_set_user_sid: setting user sid S-1-5-21-1776119392-1335896148-119103078-1812 [2007/01/26 14:21:00, 10] passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73) pdb_set_user_sid_from_rid: setting user sid S-1-5-21-1776119392-1335896148-119103078-1812 from rid 1812 [2007/01/26 14:21:00, 10] passdb/pdb_get_set.c:pdb_set_group_sid(580) pdb_set_group_sid: setting group sid S-1-5-21-1776119392-1335896148-119103078-513 [2007/01/26 14:21:00, 10] passdb/pdb_compat.c:pdb_set_group_sid_from_rid(100) pdb_set_group_sid_from_rid: setting group sid S-1-5-21-1776119392-1335896148-119103078-513 from rid 513 [2007/01/26 14:21:00, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (1001, 513) - sec_ctx_stack_ndx = 0 [2007/01/26 14:21:00, 5] lib/util.c:dump_data(2053) [000] CB 97 46 42 57 0F 6D F6 24 BB F0 C9 64 AC EE A1 ..FBW.m. $...d... [2007/01/26 14:21:00, 4] libsmb/credentials.c:cred_session_key(59) cred_session_key [2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_session_key(61) clnt_chal: 70AC8820288ECF8D [2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_session_key(62) srv_chal : 3CB84822EABF4CD9 [2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_session_key(63) clnt+srv : AC64D142124E1C67 [2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_session_key(64) sess_key : 52D509DB5E8010B2 [2007/01/26 14:21:00, 4] libsmb/credentials.c:cred_create(90) cred_create [2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(92) sess_key : 52D509DB5E8010B2 [2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(93) stor_cred: 70AC8820288ECF8D [2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(94) timestamp: 0 [2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(95) timecred : 70AC8820288ECF8D [2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(96) calc_cred: 4C5A39005039ED3F [2007/01/26 14:21:00, 4] libsmb/credentials.c:cred_assert(121) cred_assert [2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_assert(123) challenge : B6348D471E1F0113 [2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_assert(124) calculated: 4C5A39005039ED3F [2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_assert(133) credentials check wrong Any Idea? Thanks! /Sermodi 2007/1/24, Andrew Bartlett <[EMAIL PROTECTED]>:
On Wed, 2007-01-24 at 17:09 +0100, sermodi wrote: > Andrew Bartlett skrev: > > On Tue, 2007-01-23 at 17:50 +0000, Cardon Denis wrote: > > > >> Hi sermodi, > >> > >>> I'm having a problem adding a W2K workstaion to the domain samba+ldap. > >>> I can > >>> add it by logging with the local administartor then add to domain, but I > >>> would like to do it without doing it manually on every workstation. Have > >>> hundrads of workstations, I tried to add them by using smbldap scripts > >>> and I > >>> get an entry for the workstation but it still don't work. Is it even > >>> possible to only add a trust account on the PDC or do I have to do it > >>> from > >>> the windows client? > >>> > >> adding a workstation throught the windows "join a domain" gui does some > >> configuration change on the host computer. Modifying is not enough, in > >> any case you'll have to do a few thing on the windows box. However there > >> a few command line tools available from MS for joining a domain, so you > >> can write a small script to add the boxes. > >> > > > > There is an RPC to do this (wkssvc_NetrJoinDomain2), but we never spent > > enough time to figure out the crypto. The 524 byte password buffer > > looks like one of the existing uses of this kind of buffer (like SAMR), > > but that didn't apparently work. > > > > Andrew Bartlett > > > > > Thanks for the reply. > About the client modification, on an existing (by existing I mean a > workstaion that have been trusted previously on another PDC, a NT4) the > client has already a password configured to the domain, the domain name > is the same and a net vampire have been done on the NT4. So what is the > different between the challenge made to NT4 and the one made to to the > new samba PDC? The whole purpose of the vampire process is that you should not have to rejoin machines. If you are forced to rejoin a machine when vampiring NT4, then it's a bug. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc. http://redhat.com
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba