Hi!
I did a new vampire on the NT4 and gott the accounts, I get an error saying
"Could not find unix group 513" even though I have that group after running
smbldap-populate prior to vampire. This does'nt seem to effect the creation
of machine account because the machine account are there when I do a search.
The problem now seems to be that the credential challenge is failing. The
error log in samba says
The part where I think it fails:
[2007/01/26 14:21:00, 10] passdb/pdb_get_set.c:pdb_set_user_sid(544)
pdb_set_user_sid: setting user sid
S-1-5-21-1776119392-1335896148-119103078-1812
[2007/01/26 14:21:00, 10] passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73)
pdb_set_user_sid_from_rid:
setting user sid S-1-5-21-1776119392-1335896148-119103078-1812 from
rid 1812
[2007/01/26 14:21:00, 10] passdb/pdb_get_set.c:pdb_set_group_sid(580)
pdb_set_group_sid: setting group sid
S-1-5-21-1776119392-1335896148-119103078-513
[2007/01/26 14:21:00, 10]
passdb/pdb_compat.c:pdb_set_group_sid_from_rid(100)
pdb_set_group_sid_from_rid:
setting group sid S-1-5-21-1776119392-1335896148-119103078-513 from
rid 513
[2007/01/26 14:21:00, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (1001, 513) - sec_ctx_stack_ndx = 0
[2007/01/26 14:21:00, 5] lib/util.c:dump_data(2053)
[000] CB 97 46 42 57 0F 6D F6 24 BB F0 C9 64 AC EE A1 ..FBW.m. $...d...
[2007/01/26 14:21:00, 4] libsmb/credentials.c:cred_session_key(59)
cred_session_key
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_session_key(61)
clnt_chal: 70AC8820288ECF8D
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_session_key(62)
srv_chal : 3CB84822EABF4CD9
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_session_key(63)
clnt+srv : AC64D142124E1C67
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_session_key(64)
sess_key : 52D509DB5E8010B2
[2007/01/26 14:21:00, 4] libsmb/credentials.c:cred_create(90)
cred_create
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(92)
sess_key : 52D509DB5E8010B2
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(93)
stor_cred: 70AC8820288ECF8D
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(94)
timestamp: 0
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(95)
timecred : 70AC8820288ECF8D
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_create(96)
calc_cred: 4C5A39005039ED3F
[2007/01/26 14:21:00, 4] libsmb/credentials.c:cred_assert(121)
cred_assert
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_assert(123)
challenge : B6348D471E1F0113
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_assert(124)
calculated: 4C5A39005039ED3F
[2007/01/26 14:21:00, 5] libsmb/credentials.c:cred_assert(133)
credentials check wrong
Any Idea?
Thanks!
/Sermodi
2007/1/24, Andrew Bartlett <[EMAIL PROTECTED]>:
On Wed, 2007-01-24 at 17:09 +0100, sermodi wrote:
> Andrew Bartlett skrev:
> > On Tue, 2007-01-23 at 17:50 +0000, Cardon Denis wrote:
> >
> >> Hi sermodi,
> >>
> >>> I'm having a problem adding a W2K workstaion to the domain
samba+ldap.
> >>> I can
> >>> add it by logging with the local administartor then add to domain,
but I
> >>> would like to do it without doing it manually on every workstation.
Have
> >>> hundrads of workstations, I tried to add them by using smbldap
scripts
> >>> and I
> >>> get an entry for the workstation but it still don't work. Is it even
> >>> possible to only add a trust account on the PDC or do I have to do
it
> >>> from
> >>> the windows client?
> >>>
> >> adding a workstation throught the windows "join a domain" gui does
some
> >> configuration change on the host computer. Modifying is not enough,
in
> >> any case you'll have to do a few thing on the windows box. However
there
> >> a few command line tools available from MS for joining a domain, so
you
> >> can write a small script to add the boxes.
> >>
> >
> > There is an RPC to do this (wkssvc_NetrJoinDomain2), but we never
spent
> > enough time to figure out the crypto. The 524 byte password buffer
> > looks like one of the existing uses of this kind of buffer (like
SAMR),
> > but that didn't apparently work.
> >
> > Andrew Bartlett
> >
> >
> Thanks for the reply.
> About the client modification, on an existing (by existing I mean a
> workstaion that have been trusted previously on another PDC, a NT4) the
> client has already a password configured to the domain, the domain name
> is the same and a net vampire have been done on the NT4. So what is the
> different between the challenge made to NT4 and the one made to to the
> new samba PDC?
The whole purpose of the vampire process is that you should not have to
rejoin machines. If you are forced to rejoin a machine when vampiring
NT4, then it's a bug.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
