From: Sam Robb on
Hello all.

I have a Samba 3.5.4 server that we're attempting to join to an existing Windows 2008 ADS.

Doing "net ads join" seems to go ok, and a follow up "net -P ads testjoin" says we're OK.

However... at this point, doing "wbinfo -u" or "wbinfo -g" returns no data (the programs exit with erro code 0, and no output).

Attempting to log into a share on the samba machine from a Windows XP client fails (username/password are not accepted).

The exact same configuration, using samba 3.3.0, works perfectly.

Running winbindd on the console (winbindd -d 10 -F -s /var/etc/smb.conf -S -i) shows me the following when I try to run "wbinfo -u":

child daemon request 63
child_process_request: request fn NDRCMD
winbindd_dual_ndrcmd: Running command WBINT_DSGETDCNAME (no domain)
wbint_DsGetDcName: struct wbint_DsGetDcName
in: struct wbint_DsGetDcName
domain_name : *
domain_name : 'DOMAIN.ARRIAD.COM'
domain_guid : NULL
site_name : *
site_name : ''
flags : 0x00000000 (0)
dsgetdcname: domain_name: DOMAIN.ARRIAD.COM, domain_guid: (null), site_name: , flags: 0x00000000
debug_dsdcinfo_flags: 0x00000000
Returning valid cache entry: key = AD_SITENAME/DOMAIN/DOMAIN.ARRIAD.COM, value = Default-First-Site-Name, timeout = Mon Jan 18 22:14:07 2038
sitename_fetch: Returning sitename for DOMAIN.ARRIAD.COM: "Default-First-Site-Name"
Returning valid cache entry: key = DSGETDCNAME/DOMAIN/DOMAIN.ARRIAD.COM, value = , timeout = Mon Jul 19 16:18:54 2010
info: struct netr_DsRGetDCNameInfo
dc_unc : *
dc_unc : 'ads_machine.DOMAIN.arriad.com'
dc_address : *
dc_address : '\\10.0.8.36'
dc_address_type : DS_ADDRESS_TYPE_INET (1)
domain_guid : c8d2ab8f-6a0f-4ddf-9be8-dfb32c4af4c2
domain_name : *
domain_name : 'DOMAIN.arriad.com'
forest_name : *
forest_name : 'DOMAIN.arriad.com'
dc_flags : 0xe00013fd (3758101501)
1: DS_SERVER_PDC
1: DS_SERVER_GC
1: DS_SERVER_LDAP
1: DS_SERVER_DS
1: DS_SERVER_KDC
1: DS_SERVER_TIMESERV
1: DS_SERVER_CLOSEST
1: DS_SERVER_WRITABLE
1: DS_SERVER_GOOD_TIMESERV
0: DS_SERVER_NDNC
0: DS_SERVER_SELECT_SECRET_DOMAIN_6
1: DS_SERVER_FULL_SECRET_DOMAIN_6
1: DS_DNS_CONTROLLER
1: DS_DNS_DOMAIN
1: DS_DNS_FOREST
dc_site_name : *
dc_site_name : 'Default-First-Site-Name'
client_site_name : *
client_site_name : 'Default-First-Site-Name'
wbint_DsGetDcName: struct wbint_DsGetDcName
out: struct wbint_DsGetDcName
dc_info : *
dc_info : *
dc_info: struct netr_DsRGetDCNameInfo
dc_unc : *
dc_unc : 'ads_machine.DOMAIN.arriad.com'
dc_address : *
dc_address : '\\10.0.8.36'
dc_address_type : DS_ADDRESS_TYPE_INET (1)
domain_guid : c8d2ab8f-6a0f-4ddf-9be8-dfb32c4af4c2
domain_name : *
domain_name : 'DOMAIN.arriad.com'
forest_name : *
forest_name : 'DOMAIN.arriad.com'
dc_flags : 0xe00013fd (3758101501)
1: DS_SERVER_PDC
1: DS_SERVER_GC
1: DS_SERVER_LDAP
1: DS_SERVER_DS
1: DS_SERVER_KDC
1: DS_SERVER_TIMESERV
1: DS_SERVER_CLOSEST
1: DS_SERVER_WRITABLE
1: DS_SERVER_GOOD_TIMESERV
0: DS_SERVER_NDNC
0: DS_SERVER_SELECT_SECRET_DOMAIN_6
1: DS_SERVER_FULL_SECRET_DOMAIN_6
1: DS_DNS_CONTROLLER
1: DS_DNS_DOMAIN
1: DS_DNS_FOREST
dc_site_name : *
dc_site_name : 'Default-First-Site-Name'
client_site_name : *
client_site_name : 'Default-First-Site-Name'
result : NT_STATUS_OK
Finished processing child request 63
Writing 3912 bytes to parent
dsgetdcname failed: NT_STATUS_ACCESS_DENIED
wb_request_done[21194:DSGETDCNAME]: NT_STATUS_ACCESS_DENIED
winbind_client_response_written[21194:DSGETDCNAME]: deliverd response to client
process_request: Handling async request 21194:DSGETDCNAME
[21194]: dsgetdcname for DOMAIN.ARRIAD.COM
dsgetdcname failed: NT_STATUS_PIPE_BROKEN
wb_request_done[21194:DSGETDCNAME]: NT_STATUS_PIPE_BROKEN
winbind_client_response_written[21194:DSGETDCNAME]: deliverd response to client
process_request: Handling async request 21194:DSGETDCNAME
[21194]: dsgetdcname for DOMAIN.ARRIAD.COM
dsgetdcname failed: NT_STATUS_PIPE_BROKEN
wb_request_done[21194:DSGETDCNAME]: NT_STATUS_PIPE_BROKEN
winbind_client_response_written[21194:DSGETDCNAME]: deliverd response to client
process_request: Handling async request 21194:DSGETDCNAME
[21194]: dsgetdcname for DOMAIN.ARRIAD.COM
dsgetdcname failed: NT_STATUS_PIPE_BROKEN
wb_request_done[21194:DSGETDCNAME]: NT_STATUS_PIPE_BROKEN
winbind_client_response_written[21194:DSGETDCNAME]: deliverd response to client
closing socket 24, client exited
accepted socket 24

So we're apparently able to contact the ADS, send a request, but the request is being denied. What has changed between 3.3.0 and 3.5.4 that would cause us to start getting an ACCESS_DENIED error in response to such a basic rpc request?

-Samrobb

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: Oplocks
Next: Access from an AD group