Jens Nissen wrote:
I doff my hat, indeed, my SBS200 is running SP1.
(Microsoft never provided updates for SBS2000 beyond SP1,
there were individual updates for Windows, Exchange, SQL, IIE ... but
they were partially incompatible with SBS2000, so there might be more
machines out there!!)
I updated to SP4, now I get the next error:
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
Is it possible, that this is already a known issue in Samba 3.2.0 and
needs to be back-ported to Samba 3.0.30?
See
http://lists-archives.org/samba/34051-net-ads-join-fails-with-nt_status_nologon_workstation_trust_account.html
Yeah, it's a known issue.
Can you please try attached patch?
Thanks,
Guenther
--
Günther Deschner GPG-ID: 8EE11688
Red Hat [EMAIL PROTECTED]
Samba Team [EMAIL PROTECTED]
>From 97a81114e608927af3b94cd1c561e7f8359907d2 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?G=C3=BCnther=20Deschner?= <[EMAIL PROTECTED]>
Date: Thu, 5 Jun 2008 16:26:10 +0200
Subject: [PATCH] net: fix joining w2k domains in "security = ads".
This repairs the join verification code which needs to try an anonymous
connection (as an authenticated connection will always fail with
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT).
Guenther
---
source/utils/net.c | 61 ++++++++++++++++++++++++------------------
source/utils/net_rpc_join.c | 6 +---
2 files changed, 36 insertions(+), 31 deletions(-)
diff --git a/source/utils/net.c b/source/utils/net.c
index 5a81edb..d8ea462 100644
--- a/source/utils/net.c
+++ b/source/utils/net.c
@@ -181,27 +181,30 @@ NTSTATUS connect_to_service(struct cli_state **c, struct
in_addr *server_ip,
opt_user_name, opt_workgroup,
opt_password, 0, Undefined, NULL);
- if (NT_STATUS_IS_OK(nt_status)) {
+ if (NT_STATUS_IS_OK(nt_status) ||
+ NT_STATUS_EQUAL(nt_status,
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT) ||
+ NT_STATUS_EQUAL(nt_status, NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT)
||
+ NT_STATUS_EQUAL(nt_status,
NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT)) {
return nt_status;
- } else {
- d_fprintf(stderr, "Could not connect to server %s\n",
server_name);
+ }
- /* Display a nicer message depending on the result */
+ d_fprintf(stderr, "Could not connect to server %s\n", server_name);
- if (NT_STATUS_V(nt_status) ==
- NT_STATUS_V(NT_STATUS_LOGON_FAILURE))
- d_fprintf(stderr, "The username or password was not
correct.\n");
+ /* Display a nicer message depending on the result */
- if (NT_STATUS_V(nt_status) ==
- NT_STATUS_V(NT_STATUS_ACCOUNT_LOCKED_OUT))
- d_fprintf(stderr, "The account was locked out.\n");
+ if (NT_STATUS_V(nt_status) ==
+ NT_STATUS_V(NT_STATUS_LOGON_FAILURE))
+ d_fprintf(stderr, "The username or password was not
correct.\n");
- if (NT_STATUS_V(nt_status) ==
- NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
- d_fprintf(stderr, "The account was disabled.\n");
+ if (NT_STATUS_V(nt_status) ==
+ NT_STATUS_V(NT_STATUS_ACCOUNT_LOCKED_OUT))
+ d_fprintf(stderr, "The account was locked out.\n");
- return nt_status;
- }
+ if (NT_STATUS_V(nt_status) ==
+ NT_STATUS_V(NT_STATUS_ACCOUNT_DISABLED))
+ d_fprintf(stderr, "The account was disabled.\n");
+
+ return nt_status;
}
@@ -481,7 +484,7 @@ struct cli_state *net_make_ipc_connection_ex( const char
*domain, const char *se
char *server_name = NULL;
struct in_addr server_ip;
struct cli_state *cli = NULL;
- NTSTATUS nt_status;
+ NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
if ( !server || !ip ) {
if (!net_find_server(domain, flags, &server_ip, &server_name)) {
@@ -493,25 +496,31 @@ struct cli_state *net_make_ipc_connection_ex( const char
*domain, const char *se
server_ip = *ip;
}
+ if (opt_user_name && opt_password) {
+ nt_status = connect_to_ipc(&cli, &server_ip, server_name);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ goto connected;
+ }
+ }
if (flags & NET_FLAGS_ANONYMOUS) {
nt_status = connect_to_ipc_anonymous(&cli, &server_ip,
server_name);
- } else {
- nt_status = connect_to_ipc(&cli, &server_ip, server_name);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ goto connected;
+ }
}
+ SAFE_FREE(server_name);
+ d_fprintf(stderr, "Connection failed: %s\n",
+ nt_errstr(nt_status));
+ return NULL;
+
+ connected:
/* store the server in the affinity cache if it was a PDC */
if ( (flags & NET_FLAGS_PDC) && NT_STATUS_IS_OK(nt_status) )
saf_store( cli->server_domain, cli->desthost );
- SAFE_FREE(server_name);
- if (NT_STATUS_IS_OK(nt_status)) {
- return cli;
- } else {
- d_fprintf(stderr, "Connection failed: %s\n",
- nt_errstr(nt_status));
- return NULL;
- }
+ return cli;
}
static int net_user(int argc, const char **argv)
diff --git a/source/utils/net_rpc_join.c b/source/utils/net_rpc_join.c
index 63e77b3..361a319 100644
--- a/source/utils/net_rpc_join.c
+++ b/source/utils/net_rpc_join.c
@@ -45,7 +45,7 @@ int net_rpc_join_ok(const char *domain, const char *server,
struct in_addr *ip )
{
uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
enum security_types sec;
- unsigned int conn_flags = NET_FLAGS_PDC;
+ unsigned int conn_flags = NET_FLAGS_PDC | NET_FLAGS_ANONYMOUS;
struct cli_state *cli = NULL;
struct rpc_pipe_client *pipe_hnd = NULL;
struct rpc_pipe_client *netlogon_pipe = NULL;
@@ -58,10 +58,6 @@ int net_rpc_join_ok(const char *domain, const char *server,
struct in_addr *ip )
connection here, as it may be denied by server's local
policy. */
net_use_machine_account();
- } else {
- /* some servers (e.g. WinNT) don't accept machine-authenticated
- smb connections */
- conn_flags |= NET_FLAGS_ANONYMOUS;
}
/* Connect to remote machine */
--
1.5.5.1
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
