samba domain integration

ch3i

@plegrand yep

EAHarvey

@Tom-Elliott This only works going forward in version correct? Not downgrade.?

ch3i

@EAHarvey yep too

Tom Elliott

@EAHarvey I don’t know what you mean.

@plegrand is trying to find out when samba domain joining started failing. It is believed to have worked at some point in the past, so to test he is downgrading and going to try finding out exactly when it started.

plegrand

@Tom-Elliott in fact i just begin to wonder if it worked once
I cant understand why it works with netdom command and not with fog client

Do i have to uninstall and reinstall client to ?

Tom Elliott

@plegrand Well can you provide a teamviewer session (in chat) with me and I can try to help narrow down exactly where the problem lies? I’m going to guess it has to do with the user having the domain as a part of the field.

plegrand

@Tom-Elliott Eureka !!
I made some tests, and i know why i said it worked before : it works with the legacy client and
“Domain Password Legacy” field filled
without problem.
Then i uninstalled legacy client and install new client but now there is an other error

29/09/2015 16:39 Client-Info Version: 0.9.5
 29/09/2015 16:39 HostnameChanger Running...
 29/09/2015 16:39 Middleware::Communication URL: http://192.168.39.243/fog/service/servicemodule-active.php?moduleid=hostnamechanger&mac=00:21:85:71:BD:8E|&newService=1
 29/09/2015 16:39 Middleware::Communication Response: Success
 29/09/2015 16:39 Middleware::Communication URL: http://192.168.39.243/fog/service/hostname.php?moduleid=hostnamechanger&mac=00:21:85:71:BD:8E|&newService=1
 29/09/2015 16:39 Middleware::Communication Response: Invalid host certificate
 29/09/2015 16:39 Middleware::Communication URL: http://192.168.39.243/fog/management/other/ssl/srvpublic.crt
 29/09/2015 16:39 Data::RSA CA cert found
 29/09/2015 16:39 Middleware::Authentication Cert OK
 29/09/2015 16:39 Middleware::Communication POST URL: http://192.168.39.243/fog/management/index.php?sub=authorize
 29/09/2015 16:39 Middleware::Communication Response: Invalid security token

Tom Elliott

So does that seem to indicate a difference in the passwords?

plegrand

@Tom-Elliott it’s the same password used
i put the “real” password into “Domain Password” field
and same password encrypted with FogCrypt into “Domain Password Legacy” field

plegrand

@Tom-Elliott May be i didn’t understand your question?
Do you need more information ?
I think legacy client and new client doesn’t use the same method to join domain. Am i wrong ?
Just to be clear
join domain works fine with legacy client and doesn’t works with the new client
I made the tests with the same domain user and the same password
clear for new client
and encrypted with Fog Crypt for the legacy client

plegrand

@Tom-Elliott Hello Tom, do you think my problem come from a bug in the new client, or from me and my configuration?
Do you want i make some other tests ?
Thanks

Sebastian Roth

I guess @Jbob would know…

Tom Elliott

I would ask if you have updated again.

See, I’ve tested what I can, but I don’t have a logical answer as to why it’s not working for you. It should be.

plegrand

@Uncle-Frank
Do you think he could explain me why i can join to samba domain with “all” method except with the new client ?

It works with the classic manual method
It works with netdom command line
It works with legacy client
It does not works with new client
I cant see anything in samba log
May be he could told me what is the difference between “legacy client” method an “new client” method.
I’m ok to make some test if it’s usefull
Thanks for your and Tom help

I cant understand what happen

plegrand

@Tom-Elliott
As i install, uninstall, reinstall fog client, is it possible that windows kept first credential, the first i use with apostrophe in password ?
while fog show (http://192.168.39.243/fog/service/hostname.php?mac=00:21:85:71:bd:8e) the good samba adminisrator ?

plegrand

Hmmm… may be it’s important : i’m making this test on a windows XP machine
Do i have to use legacy client for windows XP or it should works also with the new client ?
May be new client use powershell for domain integration ?

Joe Schmitt

@plegrand The error you reported in your last log “Invalid security token” is because you re-installed the client. You have to click “Reset Encryption Data” for the host on the web portal whenever you do that.

Now then as for Samba. The most likely reason this only occurs for the new client is because the server can’t properly parse your ’ character. Here is why: The new client does on-the-fly encryption, meaning the server encrypts the AD password with a special encryption key only the client knows and sends it to the client. With the legacy client, you were giving the server the FOGCrypt’d password, which from a plain text perspective did not contain a ’ . More than likely it is because the server is stripping out the ’ , and nothing to do with the client. Every release the client is tested against multiple AD scenarios, and LDAP scenarios. In addition, it is XP compatible.

I will try and confirm this shortly.

Joe Schmitt

Confirmed. The server is replace ’ with &#39. This is now in @Tom-Elliott s domain

plegrand

@Jbob i made all my test with a password without apostrophe " ’ ".
domain : samba_domain
domain admin : admin_samba
password domain admin : password
and then with this configuration :
It works with the classic manual method
It works with netdom command line
It works with legacy client
It does not works with new client
Thanks for your help

Joe Schmitt

As I previously stated, according to your log its because the client couldn’t authenticate. You have to press 'Reset Encryption Data"