samba domain integration
-
I would ask if you have updated again.
See, I’ve tested what I can, but I don’t have a logical answer as to why it’s not working for you. It should be.
-
@Uncle-Frank
Do you think he could explain me why i can join to samba domain with “all” method except with the new client ?It works with the classic manual method
It works with netdom command line
It works with legacy client
It does not works with new client
I cant see anything in samba log
May be he could told me what is the difference between “legacy client” method an “new client” method.
I’m ok to make some test if it’s usefull
Thanks for your and Tom helpI cant understand what happen
-
@Tom-Elliott
As i install, uninstall, reinstall fog client, is it possible that windows kept first credential, the first i use with apostrophe in password ?
while fog show (http://192.168.39.243/fog/service/hostname.php?mac=00:21:85:71:bd:8e) the good samba adminisrator ? -
Hmmm… may be it’s important : i’m making this test on a windows XP machine
Do i have to use legacy client for windows XP or it should works also with the new client ?
May be new client use powershell for domain integration ? -
@plegrand The error you reported in your last log “Invalid security token” is because you re-installed the client. You have to click “Reset Encryption Data” for the host on the web portal whenever you do that.
Now then as for Samba. The most likely reason this only occurs for the new client is because the server can’t properly parse your ’ character. Here is why: The new client does on-the-fly encryption, meaning the server encrypts the AD password with a special encryption key only the client knows and sends it to the client. With the legacy client, you were giving the server the FOGCrypt’d password, which from a plain text perspective did not contain a ’ . More than likely it is because the server is stripping out the ’ , and nothing to do with the client. Every release the client is tested against multiple AD scenarios, and LDAP scenarios. In addition, it is XP compatible.
I will try and confirm this shortly.
-
Confirmed. The server is replace ’ with '. This is now in @Tom-Elliott s domain
-
@Jbob i made all my test with a password without apostrophe " ’ ".
domain : samba_domain
domain admin : admin_samba
password domain admin : password
and then with this configuration :
It works with the classic manual method
It works with netdom command line
It works with legacy client
It does not works with new client
Thanks for your help -
As I previously stated, according to your log its because the client couldn’t authenticate. You have to press 'Reset Encryption Data"
-
@Jbob i already do that . It was because i uninstalled legacy client and reinstall new client
Then i pressed 'Reset Encryption Data"
But afater that the problem is still there.
I cant join domain with new client -
-
also, can you update again, only this time, also re-enter the password in the ADPass field and/or fields.
-
@Jbob You mean the c:\fog.log ?
I’ll send you tomorrow and i’ll try to be clear in my explanation@Tom-Elliott i’ll update tomorrow to make a try
-
@Jbob As you and I have verified in browser (with the context printing properly) the values appear to be fixed. However, you will have to update the stored value in the database. There is a possibility this will be unneeded, but I say better to be sure than just try.
-
Here is all my test (netdom, legacy client, new client with log files).
As it’s litle long i made a pdf document
http://plegrand1.free.fr/Test_Samba_Domain.pdf -
I discover something interesting.
There is a file which log each try domain joining
c:\windows\debug\NetSetup.LOGhere is this file with the two tests (legacy and new client)
NetSetup.LOG with the NEW client (which failed)
10/02 10:18:24 ----------------------------------------------------------------- 10/02 10:18:24 NetpDoDomainJoin 10/02 10:18:24 NetpMachineValidToJoin: 'gim-127-13' 10/02 10:18:24 NetpGetLsaPrimaryDomain: status: 0x0 10/02 10:18:24 NetpMachineValidToJoin: status: 0x0 10/02 10:18:24 NetpJoinDomain 10/02 10:18:24 Machine: gim-127-13 10/02 10:18:24 Domain: samba_domain 10/02 10:18:24 MachineAccountOU: 10/02 10:18:24 Account: samba_domain\admin_samba 10/02 10:18:24 Options: 0x3 10/02 10:18:24 OS Version: 5.1 10/02 10:18:24 Build number: 2600 10/02 10:18:24 ServicePack: Service Pack 3 10/02 10:18:24 NetpValidateName: checking to see if 'samba_domain' is valid as type 3 name 10/02 10:18:24 NetpValidateName: 'samba_domain' is not a valid Dns domain name: 0x2554 10/02 10:18:25 NetpCheckDomainNameIsValid [ Exists ] for 'samba_domain' returned 0x0 10/02 10:18:25 NetpValidateName: name 'samba_domain' is valid for type 3 10/02 10:18:25 NetpDsGetDcName: trying to find DC in domain 'samba_domain', flags: 0x1020 10/02 10:18:25 NetpDsGetDcName: found DC '\\SAMBA' in the specified domain 10/02 10:18:25 NetpJoinDomain: status of connecting to dc '\\SAMBA': 0x0 10/02 10:18:25 NetpJoinDomain: OU is specified but couldn't get NT5 DC 10/02 10:18:25 NetpJoinDomain: status of disconnecting from '\\SAMBA': 0x0 10/02 10:18:25 NetpDoDomainJoin: status: 0x54b 10/02 10:19:26 -----------------------------------------------------------------
NetSetup.LOG with the LEGACY client (which works fine)
10/02 10:50:12 ----------------------------------------------------------------- 10/02 10:50:12 NetpDoDomainJoin 10/02 10:50:12 NetpMachineValidToJoin: 'gim-127-13' 10/02 10:50:12 NetpGetLsaPrimaryDomain: status: 0x0 10/02 10:50:12 NetpMachineValidToJoin: status: 0x0 10/02 10:50:12 NetpJoinDomain 10/02 10:50:12 Machine: gim-127-13 10/02 10:50:12 Domain: samba_domain 10/02 10:50:12 MachineAccountOU: (NULL) 10/02 10:50:12 Account: samba_domain\admin_samba 10/02 10:50:12 Options: 0x3 10/02 10:50:12 OS Version: 5.1 10/02 10:50:12 Build number: 2600 10/02 10:50:12 ServicePack: Service Pack 3 10/02 10:50:12 NetpValidateName: checking to see if 'samba_domain' is valid as type 3 name 10/02 10:50:12 NetpValidateName: 'samba_domain' is not a valid Dns domain name: 0x2554 10/02 10:50:12 NetpCheckDomainNameIsValid [ Exists ] for 'samba_domain' returned 0x0 10/02 10:50:12 NetpValidateName: name 'samba_domain' is valid for type 3 10/02 10:50:12 NetpDsGetDcName: trying to find DC in domain 'samba_domain', flags: 0x1020 10/02 10:50:20 NetpDsGetDcName: found DC '\\SAMBA' in the specified domain 10/02 10:50:20 NetpJoinDomain: status of connecting to dc '\\SAMBA': 0x0 10/02 10:50:20 NetpGetLsaPrimaryDomain: status: 0x0 10/02 10:50:20 NetpGetNt4RefusePasswordChangeStatus: trying to read from '\\SAMBA' 10/02 10:50:20 NetpGetNt4RefusePasswordChangeStatus: RefusePasswordChange == 0 10/02 10:50:20 NetpLsaOpenSecret: status: 0xc0000034 10/02 10:50:21 NetpManageMachineAccountWithSid: NetUserAdd on '\\SAMBA' for 'GIM-127-13$' failed: 0x8b0 10/02 10:50:21 NetpManageMachineAccountWithSid: status of attempting to set password on '\\SAMBA' for 'GIM-127-13$': 0x0 10/02 10:50:21 NetpJoinDomain: status of creating account: 0x0 10/02 10:50:21 NetpGetLsaPrimaryDomain: status: 0x0 10/02 10:50:21 NetpSetLsaPrimaryDomain: for 'SAMBA_DOMAIN' status: 0x0 10/02 10:50:21 NetpJoinDomain: status of setting LSA pri. domain: 0x0 10/02 10:50:21 NetpJoinDomain: status of managing local groups: 0x0 10/02 10:50:21 NetpJoinDomain: status of setting netlogon cache: 0x0 10/02 10:50:22 NetpJoinDomain: status of clearing ComputerNamePhysicalDnsDomain: 0x0 10/02 10:50:22 NetpUpdateW32timeConfig: 0x0 10/02 10:50:22 NetpJoinDomain: status of disconnecting from '\\SAMBA': 0x0 10/02 10:50:22 NetpDoDomainJoin: status: 0x0 10/02 10:53:12 ----------------------------------------------------------------- 10/02 10:53:12 NetpDoDomainJoin 10/02 10:53:12 NetpMachineValidToJoin: 'gim-127-13' 10/02 10:53:12 NetpGetLsaPrimaryDomain: status: 0x0 10/02 10:53:12 NetpMachineValidToJoin: the specified machine is already joined to 'SAMBA_DOMAIN'! 10/02 10:53:12 NetpMachineValidToJoin: status: 0xa83 10/02 10:53:12 NetpDoDomainJoin: status: 0xa83
May be it could help to find the problem
-
Well that’s an interesting catch. The difference I see is that the output from the old client says
MachineAccountOU: (NULL)
whereas the output from the new client seams to be empty but not NULL. Later on it fails withNetpJoinDomain: OU is specified but couldn’t get NT5 DC
@Jbob Can you think of why this is different? You know the client source code a lot better than I do! Maybe OU is send as empty string (“”) instead of NULL in the new client. -
On the client windows xp i try this command nltest.exe :
nltest.exe /dsgetdc:samba_domain
DC: \SAMBA
Address: \SAMBA
Dom Name: SAMBA_DOMAIN
The command completed successfully -
@Uncle-Frank Just for test i put “NULL” then “(NULL)” into “Organizational Unit” in AD configuration without success
-
Bug confirmed and isolated. Ticket has been made here:
https://github.com/FOGProject/fog-client/issues/22
Basic explanation:
For some reason the samba LDAP domain is returning an error code of 1355 instead of 2 or 50 (which correspond to OU errors). On OU errors the client will try using a null OU. I just have to add 1355 to the cases of OU errors. -
@Jbob Hello, does it means that the new client will works now or do i have to wait the new “patched” client ?
Any way thanks for your help