From: Andrew Bartlett
Sent: Saturday, June 08, 2013 1:20 AM
To: eric gou
Cc: samba@lists.samba.org
Subject: Re: [Samba] authentication problem with samba4 as a dcerpc server
On Thu, 2013-06-06 at 09:44 -0700, eric gou wrote:
I made a mistake in the previous letter. I use the command “net ads
join”, looks that’s not for the samba4,
now I use the “samba-tool” to join a DC domain as a member, and it
succeed, I can see some info stored in
secrets.ldb.
./samba-tool domain join SMB3.COM MEMBER -Uadministrator --realm=SMB3.COM
unfortunately, when I start the “samba”, it still fails to find the
domain info, so as to the latter authenticating for msrpc:
task_server_terminate: [dreplsrv: no DSDB replication required in domain
member configuration]
single_terminate: reason[dreplsrv: no DSDB replication required in domain
member configuration]
ldb_wrap open of secrets.ldb
task_server_terminate: [Cannot start Winbind (domain member): Failed to
find record for SMB3 in /usr/local/samba/private/secrets.ldb: No such
object: (null): Have you joined the SMB3 domain?]
any one can help?
I think it's the same issue in both cases. Are you sure you joined the
domain by the correct netbios domain name?
I think your workgroup= setting might not match the netbios domain name
of the domain, which is why it isn't being found.
Thanks for your reply, the domain name is SMB3.COM, what I set is:
workgroup = SMB3
After I joined the domain by samba-tool, the secrets.ldb info is like this:
# record 1
dn: flatname=SMB3,cn=Primary Domains
msDS-KeyVersionNumber: 5
objectClass: top
objectClass: primaryDomain
objectClass: kerberosSecret
objectSid: S-1-5-21-4046433554-1285089214-3428912259
privateKeytab: secrets.keytab
realm: smb3.com
saltPrincipal: host/suse11-9.smb3@smb3.com
samAccountName: SUSE11-9$
secret:
W5JP@4b$yM[dPlQ7)R%5F]!vJF#FfSwB$,PPC,)GQDekyU?X(MjZLg-Si=Yeg0oRmTa@
iekMLqZ1vNMGCp_xBflL9c@Y#7g%2FqSsc4nV7E!%RF#bQ.umf7)o)aWvesOVg?5yd6nD~2_h7Q]
$%nXQW:C:~d$RkB9rWCr5EMfTWPi24,%gS5zEfB]9Fr!wU?C=?
secureChannelType: 2
servicePrincipalName: HOST/suse11-9
distinguishedName: flatname=SMB3,cn=Primary Domains
when I start the samba, it starts the winbind task, by using this
macro:SECRETS_PRIMARY_DOMAIN_FILTER to look for the info in the
secrets.ldb
it's defined like this: #define SECRETS_PRIMARY_DOMAIN_FILTER
((flatname=%s)(objectclass=primaryDomain))
the first key is :flatname, it's value is: SMB3,
apparently, there is no key named flatname in the secrets.ldb and it fails.
my solution is to redefine the macro like this:
#define SECRETS_PRIMARY_DOMAIN_FILTER ((dn=flatname=%s,cn=Primary
Domains))
and use the key= dn, value=flatname=SMB3,cn=Primary Domains to query the
secrets.ldb, and that works.
is this a bug?
another thing im confused is, after I use the samba-tool to join the
domain, it seems that I have to use the net ads join too,
because the function cli_credentials_set_machine_account in
credentials_secrets.c will query both the secrets.ldb and secrets.tdb
and compare some items between them.
some items in the secrets.ldb are missing, such as whenChanged.
and the secrets.keytab seems not be created if I join samba4 as a domain
member.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
