samba domain integration

plegrand · Sep 29, 2015, 2:44 PM

@Tom-Elliott it’s the same password used
i put the “real” password into “Domain Password” field
and same password encrypted with FogCrypt into “Domain Password Legacy” field

plegrand · Sep 30, 2015, 2:35 AM

@Tom-Elliott May be i didn’t understand your question?
Do you need more information ?
I think legacy client and new client doesn’t use the same method to join domain. Am i wrong ?
Just to be clear
join domain works fine with legacy client and doesn’t works with the new client
I made the tests with the same domain user and the same password
clear for new client
and encrypted with Fog Crypt for the legacy client

plegrand · Oct 1, 2015, 9:16 AM

@Tom-Elliott Hello Tom, do you think my problem come from a bug in the new client, or from me and my configuration?
Do you want i make some other tests ?
Thanks

Sebastian Roth · Oct 1, 2015, 1:35 PM

I guess @Jbob would know…

Tom Elliott · Oct 1, 2015, 1:37 PM

I would ask if you have updated again.

See, I’ve tested what I can, but I don’t have a logical answer as to why it’s not working for you. It should be.

plegrand · Oct 1, 2015, 2:23 PM

@Uncle-Frank
Do you think he could explain me why i can join to samba domain with “all” method except with the new client ?

It works with the classic manual method
It works with netdom command line
It works with legacy client
It does not works with new client
I cant see anything in samba log
May be he could told me what is the difference between “legacy client” method an “new client” method.
I’m ok to make some test if it’s usefull
Thanks for your and Tom help

I cant understand what happen

plegrand · Oct 1, 2015, 2:39 PM

@Tom-Elliott
As i install, uninstall, reinstall fog client, is it possible that windows kept first credential, the first i use with apostrophe in password ?
while fog show (http://192.168.39.243/fog/service/hostname.php?mac=00:21:85:71:bd:8e) the good samba adminisrator ?

plegrand · Oct 1, 2015, 8:56 AM

Hmmm… may be it’s important : i’m making this test on a windows XP machine
Do i have to use legacy client for windows XP or it should works also with the new client ?
May be new client use powershell for domain integration ?

Joe Schmitt · Oct 1, 2015, 3:00 PM

@plegrand The error you reported in your last log “Invalid security token” is because you re-installed the client. You have to click “Reset Encryption Data” for the host on the web portal whenever you do that.

Now then as for Samba. The most likely reason this only occurs for the new client is because the server can’t properly parse your ’ character. Here is why: The new client does on-the-fly encryption, meaning the server encrypts the AD password with a special encryption key only the client knows and sends it to the client. With the legacy client, you were giving the server the FOGCrypt’d password, which from a plain text perspective did not contain a ’ . More than likely it is because the server is stripping out the ’ , and nothing to do with the client. Every release the client is tested against multiple AD scenarios, and LDAP scenarios. In addition, it is XP compatible.

I will try and confirm this shortly.

Joe Schmitt · Oct 1, 2015, 9:20 AM

Confirmed. The server is replace ’ with &#39. This is now in @Tom-Elliott s domain

plegrand · Oct 1, 2015, 3:20 PM

@Jbob i made all my test with a password without apostrophe " ’ ".
domain : samba_domain
domain admin : admin_samba
password domain admin : password
and then with this configuration :
It works with the classic manual method
It works with netdom command line
It works with legacy client
It does not works with new client
Thanks for your help

Joe Schmitt · Oct 1, 2015, 3:21 PM

As I previously stated, according to your log its because the client couldn’t authenticate. You have to press 'Reset Encryption Data"

plegrand · Oct 1, 2015, 4:28 PM

@Jbob i already do that . It was because i uninstalled legacy client and reinstall new client
Then i pressed 'Reset Encryption Data"
But afater that the problem is still there.
I cant join domain with new client

Joe Schmitt · Oct 1, 2015, 5:24 PM

@plegrand said:

I cant join domain with new client

Can you upload the log for that client?

Tom Elliott · Oct 1, 2015, 6:00 PM

also, can you update again, only this time, also re-enter the password in the ADPass field and/or fields.

plegrand · Oct 1, 2015, 6:21 PM

@Jbob You mean the c:\fog.log ?
I’ll send you tomorrow and i’ll try to be clear in my explanation

@Tom-Elliott i’ll update tomorrow to make a try

Tom Elliott · Oct 1, 2015, 6:59 PM

@Jbob As you and I have verified in browser (with the context printing properly) the values appear to be fixed. However, you will have to update the stored value in the database. There is a possibility this will be unneeded, but I say better to be sure than just try.

plegrand · Oct 2, 2015, 7:05 AM

Here is all my test (netdom, legacy client, new client with log files).
As it’s litle long i made a pdf document
http://plegrand1.free.fr/Test_Samba_Domain.pdf

plegrand · Oct 2, 2015, 8:59 AM

I discover something interesting.
There is a file which log each try domain joining
c:\windows\debug\NetSetup.LOG

here is this file with the two tests (legacy and new client)

NetSetup.LOG with the NEW client (which failed)

10/02 10:18:24 -----------------------------------------------------------------
10/02 10:18:24 NetpDoDomainJoin
10/02 10:18:24 NetpMachineValidToJoin: 'gim-127-13'
10/02 10:18:24 NetpGetLsaPrimaryDomain: status: 0x0
10/02 10:18:24 NetpMachineValidToJoin: status: 0x0
10/02 10:18:24 NetpJoinDomain
10/02 10:18:24 	Machine: gim-127-13
10/02 10:18:24 	Domain: samba_domain
10/02 10:18:24 	MachineAccountOU: 
10/02 10:18:24 	Account: samba_domain\admin_samba
10/02 10:18:24 	Options: 0x3
10/02 10:18:24 	OS Version: 5.1
10/02 10:18:24 	Build number: 2600
10/02 10:18:24 	ServicePack: Service Pack 3
10/02 10:18:24 NetpValidateName: checking to see if 'samba_domain' is valid as type 3 name
10/02 10:18:24 NetpValidateName:  'samba_domain' is not a valid Dns domain name: 0x2554
10/02 10:18:25 NetpCheckDomainNameIsValid [ Exists ] for 'samba_domain' returned 0x0
10/02 10:18:25 NetpValidateName: name 'samba_domain' is valid for type 3
10/02 10:18:25 NetpDsGetDcName: trying to find DC in domain 'samba_domain', flags: 0x1020
10/02 10:18:25 NetpDsGetDcName: found DC '\\SAMBA' in the specified domain
10/02 10:18:25 NetpJoinDomain: status of connecting to dc '\\SAMBA': 0x0
10/02 10:18:25 NetpJoinDomain: OU is specified but couldn't get NT5 DC
10/02 10:18:25 NetpJoinDomain: status of disconnecting from '\\SAMBA': 0x0
10/02 10:18:25 NetpDoDomainJoin: status: 0x54b
10/02 10:19:26 -----------------------------------------------------------------

NetSetup.LOG with the LEGACY client (which works fine)

10/02 10:50:12 -----------------------------------------------------------------
10/02 10:50:12 NetpDoDomainJoin
10/02 10:50:12 NetpMachineValidToJoin: 'gim-127-13'
10/02 10:50:12 NetpGetLsaPrimaryDomain: status: 0x0
10/02 10:50:12 NetpMachineValidToJoin: status: 0x0
10/02 10:50:12 NetpJoinDomain
10/02 10:50:12 	Machine: gim-127-13
10/02 10:50:12 	Domain: samba_domain
10/02 10:50:12 	MachineAccountOU: (NULL)
10/02 10:50:12 	Account: samba_domain\admin_samba
10/02 10:50:12 	Options: 0x3
10/02 10:50:12 	OS Version: 5.1
10/02 10:50:12 	Build number: 2600
10/02 10:50:12 	ServicePack: Service Pack 3
10/02 10:50:12 NetpValidateName: checking to see if 'samba_domain' is valid as type 3 name
10/02 10:50:12 NetpValidateName:  'samba_domain' is not a valid Dns domain name: 0x2554
10/02 10:50:12 NetpCheckDomainNameIsValid [ Exists ] for 'samba_domain' returned 0x0
10/02 10:50:12 NetpValidateName: name 'samba_domain' is valid for type 3
10/02 10:50:12 NetpDsGetDcName: trying to find DC in domain 'samba_domain', flags: 0x1020
10/02 10:50:20 NetpDsGetDcName: found DC '\\SAMBA' in the specified domain
10/02 10:50:20 NetpJoinDomain: status of connecting to dc '\\SAMBA': 0x0
10/02 10:50:20 NetpGetLsaPrimaryDomain: status: 0x0
10/02 10:50:20 NetpGetNt4RefusePasswordChangeStatus: trying to read from '\\SAMBA'
10/02 10:50:20 NetpGetNt4RefusePasswordChangeStatus: RefusePasswordChange == 0
10/02 10:50:20 NetpLsaOpenSecret: status: 0xc0000034
10/02 10:50:21 NetpManageMachineAccountWithSid: NetUserAdd on '\\SAMBA' for 'GIM-127-13$' failed: 0x8b0
10/02 10:50:21 NetpManageMachineAccountWithSid: status of attempting to set password on '\\SAMBA' for 'GIM-127-13$': 0x0
10/02 10:50:21 NetpJoinDomain: status of creating account: 0x0
10/02 10:50:21 NetpGetLsaPrimaryDomain: status: 0x0
10/02 10:50:21 NetpSetLsaPrimaryDomain: for 'SAMBA_DOMAIN' status: 0x0
10/02 10:50:21 NetpJoinDomain: status of setting LSA pri. domain: 0x0
10/02 10:50:21 NetpJoinDomain: status of managing local groups: 0x0
10/02 10:50:21 NetpJoinDomain: status of setting netlogon cache: 0x0
10/02 10:50:22 NetpJoinDomain: status of clearing ComputerNamePhysicalDnsDomain: 0x0
10/02 10:50:22 NetpUpdateW32timeConfig: 0x0
10/02 10:50:22 NetpJoinDomain: status of disconnecting from '\\SAMBA': 0x0
10/02 10:50:22 NetpDoDomainJoin: status: 0x0
10/02 10:53:12 -----------------------------------------------------------------
10/02 10:53:12 NetpDoDomainJoin
10/02 10:53:12 NetpMachineValidToJoin: 'gim-127-13'
10/02 10:53:12 NetpGetLsaPrimaryDomain: status: 0x0
10/02 10:53:12 NetpMachineValidToJoin: the specified machine is already joined to 'SAMBA_DOMAIN'!
10/02 10:53:12 NetpMachineValidToJoin: status: 0xa83
10/02 10:53:12 NetpDoDomainJoin: status: 0xa83

May be it could help to find the problem

Sebastian Roth · Oct 2, 2015, 9:46 AM

Well that’s an interesting catch. The difference I see is that the output from the old client says MachineAccountOU: (NULL) whereas the output from the new client seams to be empty but not NULL. Later on it fails with NetpJoinDomain: OU is specified but couldn’t get NT5 DC
@Jbob Can you think of why this is different? You know the client source code a lot better than I do! Maybe OU is send as empty string (“”) instead of NULL in the new client.

samba domain integration

175

12.0k

17.3k

155.1k