RE: [Samba] Must you net join for the Samba machine to become a domain member?
When you manually add the server to the domain, the problem is that Samba doesn't know what the password is. You can set one with the 'net' command I think, however it's much easier to delete the manually added computer and run 'net join', that way Samba does the adding and you're guaranteed that it will know the machine account credentials. ... It'd strongly recommend doing a 'net join', as the Samba configuration will be metaphorically held together with sticky tape if you don't, and I wouldn't be at all surprised if it failed at a later date for seemingly no reason. Thanks for your help again Adam. The problem on our side is that the Windows world and Unix world are administered by separate departments. They're not going to be sharing administrative passwords with each other. I am still doing that net join but using my own domain account (which is not an administrator) and it seems to be OK provided someone manually added the machine account on the Windows side. I was hoping to have it totally automated (on the Unix side at least) with no hard-coded passwords, but I guess it can't work this way. I'll keep my open for that failing at a later date for seemingly no reason thing :-) thanks again, David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Must you net join for the Samba machine to become a domain member?
Karnowski, David wrote: When you manually add the server to the domain, the problem is that Samba doesn't know what the password is. You can set one with the 'net' command I think, however it's much easier to delete the manually added computer and run 'net join', that way Samba does the adding and you're guaranteed that it will know the machine account credentials. ... It'd strongly recommend doing a 'net join', as the Samba configuration will be metaphorically held together with sticky tape if you don't, and I wouldn't be at all surprised if it failed at a later date for seemingly no reason. Thanks for your help again Adam. The problem on our side is that the Windows world and Unix world are administered by separate departments. They're not going to be sharing administrative passwords with each other. I am still doing that net join but using my own domain account (which is not an administrator) and it seems to be OK provided someone manually added the machine account on the Windows side. I was hoping to have it totally automated (on the Unix side at least) with no hard-coded passwords, but I guess it can't work this way. I'll keep my open for that failing at a later date for seemingly no reason thing :-) thanks again, David David - check this thread out for how to do a net ads join with minumum permissions. Doing it this way bypasses the need to manually add the computer with the UsersComputers MMC. http://marc.theaimsgroup.com/?l=sambam=112681698521084w=2 Eric Roseme Hewlett-Packard -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Must you net join for the Samba machine to become a domain member?
The thing is that we already manually added the server to the domain (i.e. created a computer account for the Samba machine in the domain manually using the standard Windows GUI tools). The reason, in my case, I believe I have to do a net join is to populate the private/secrets.tdb with some ID of the domain I'm interested in. When you manually add the server to the domain, the problem is that Samba doesn't know what the password is. You can set one with the 'net' command I think, however it's much easier to delete the manually added computer and run 'net join', that way Samba does the adding and you're guaranteed that it will know the machine account credentials. I noticed that when I start the Samba daemons (without first doing a net join) and then try to map a drive that it automatically finds info on some of our domains (WINPROD VTIDEV.CA) but not the one I'm interested in (CORP). It's possible that these names are obtainable by broadcasting, in the same way that I believe workgroups are. And what can I do to make it discover the domain I'm interested in (CORP) without having to do a net join? It'd strongly recommend doing a 'net join', as the Samba configuration will be metaphorically held together with sticky tape if you don't, and I wouldn't be at all surprised if it failed at a later date for seemingly no reason. Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Must you net join for the Samba machine to become a domain member?
If it must join the domain why doesn't Samba try join the domain automatically (if it's not already joined) using the credentials of the first user who tries to map a drive? Probably because a normal user trying to map a drive isn't a Domain Admin, and generally only Domain Admins can add computers into domains. I think you misunderstand the purpose of joining a domain. You don't join with specific credentials (e.g. a user mapping a drive), you use a domain admin's credentials to add Samba into the domain, which means from that point forward Samba is allowed to ask the domain to check passwords instead of doing so itself. This is greatly simplified, but until Samba is a member of the domain you'll usually be prompted for a password. It appears to me that I must net join the domain from the Samba server for this to work. Is this correct? Are there alternatives? There's no need. If I understand the process correctly, once you've added Samba to the domain (while logged in as a Domain Admin) Samba creates its own login name and password (a 'machine' account.) From this point on Samba logs in with these credentials whenever it needs access to the domain - anything from getting a list of users to checking whether the supplied password is correct. Actually there is one alternative, that of specifying a password server, however IMHO joining a domain is a 'cleaner' solution, even if it requires a bit more work. My problem is that this net use command requires some manual intervention (entering a password for a domain user) that we'd rather avoid. Once you've successfully joined the domain this will work the way you expect (assuming Samba/winbind is configured correctly.) Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Must you net join for the Samba machine to become a domain member?
If it must join the domain why doesn't Samba try join the domain automatically (if it's not already joined) using the credentials of the first user who tries to map a drive? Probably because a normal user trying to map a drive isn't a Domain Admin, and generally only Domain Admins can add computers into domains. I think you misunderstand the purpose of joining a domain. You don't join with specific credentials (e.g. a user mapping a drive), you use a domain admin's credentials to add Samba into the domain, which means from that point forward Samba is allowed to ask the domain to check passwords instead of doing so itself. This is greatly simplified, but until Samba is a member of the domain you'll usually be prompted for a password. It appears to me that I must net join the domain from the Samba server for this to work. Is this correct? Are there alternatives? There's no need. If I understand the process correctly, once you've added Samba to the domain (while logged in as a Domain Admin) Samba creates its own login name and password (a 'machine' account.) From this point on Samba logs in with these credentials whenever it needs access to the domain - anything from getting a list of users to checking whether the supplied password is correct. Thanks for your detailed response Adam. The thing is that we already manually added the server to the domain (i.e. created a computer account for the Samba machine in the domain manually using the standard Windows GUI tools). The reason, in my case, I believe I have to do a net join is to populate the private/secrets.tdb with some ID of the domain I'm interested in. I noticed that when I start the Samba daemons (without first doing a net join) and then try to map a drive that it automatically finds info on some of our domains (WINPROD VTIDEV.CA) but not the one I'm interested in (CORP). Below is part of the log when I try to map a drive without first doing the net join. If I do the net join then the private/secrets.tdb gets populated for the CORP domain and then the drive mapping works fine. So I guess my question is: How does Samba automatically discover the info for some domains and not others? Where is it getting this discovery from? And what can I do to make it discover the domain I'm interested in (CORP) without having to do a net join? [2006/01/19 18:48:35, 5] libsmb/trustdom_cache.c:trustdom_cache_store(127) trustdom_store: storing SID S-1-5-21-73586283-436374069-725345543 of domain WI NPROD [2006/01/19 18:48:35, 10] lib/gencache.c:gencache_set(127) Adding cache entry with key = TDOM/WINPROD; value = S-1-5-21-73586283-43637406 9-725345543 and timeout = Thu Jan 19 18:58:35 2006 (600 seconds ahead) [2006/01/19 18:48:35, 5] libsmb/trustdom_cache.c:trustdom_cache_store(127) trustdom_store: storing SID S-1-5-21-968365403-1350775402-1971066577 of domain VTIDEV.CA [2006/01/19 18:48:35, 10] lib/gencache.c:gencache_set(127) Adding cache entry with key = TDOM/VTIDEV.CA; value = S-1-5-21-968365403-13507 75402-1971066577 and timeout = Thu Jan 19 18:58:35 2006 (600 seconds ahead) [2006/01/19 18:48:35, 10] lib/gencache.c:gencache_set(127) Adding cache entry with key = TDOMCACHE/TIMESTAMP; value = 1137714515 and time out = Thu Jan 19 18:58:35 2006 (600 seconds ahead) [2006/01/19 18:48:35, 10] lib/gencache.c:gencache_get(285) Cache entry with key = TDOM/CORP couldn't be found [2006/01/19 18:48:35, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184) no entry for trusted domain CORP found. ... [2006/01/19 18:48:36, 6] auth/auth_sam.c:check_samstrict_security(379) check_samstrict_security: CORP is not one of my local names (ROLE_DOMAIN_MEMBE R) ... [2006/01/19 18:48:36, 5] passdb/secrets.c:secrets_fetch_trust_account_password(2 88) secrets_fetch failed! [2006/01/19 18:48:36, 0] auth/auth_domain.c:check_ntdomain_security(284) check_ntdomain_security: could not fetch trust account password for domain 'CO RP' [2006/01/19 18:48:36, 5] auth/auth.c:check_ntlm_password(271) check_ntlm_password: winbind authentication for user [dkarnows] FAILED with er ror NT_STATUS_CANT_ACCESS_DOMAIN_INFO [2006/01/19 18:48:36, 2] auth/auth.c:check_ntlm_password(317) check_ntlm_password: Authentication for user [dkarnows] - [dkarnows] FAILED with error NT_STATUS_CANT_ACCESS_DOMAIN_INFO -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba