Unable to authenticate/ join workstations to working Samba domain with domain in lowercase, need to type domain in uppercase/ capital letters
Posted by rbTech Staff, Last modified by rbTech Staff on 13 March 2014 10:46 AM
Here at rbTech, we have a Samba 3.x (at the time of this writing Samba 3.6.9) domain on CentOS6.x and with tdbsam backend. The domain has been set up and working for well north of a decade. We regularly update and upgrade, and the Samba config file gets parsed through with each update. The domain has been working just fine for years, with regular updates and very occasional config file tweaks.
We ran into an issue recently that still has me scratching my head, as we haven't seen it on any of the (many) other sites that we use Samba on: In brief, it seems like Samba suddenly got case sensitive about authenticating users with the workgroup/ Domain name that was being sent from client systems, regardless of client platform.
The issue appeared when we tried to (re) join a machine to the domain recently. After many iterations of checking/ resetting passwords and the like we gave up, thinking it was an issue with the machine that had been perhaps improperly un-joined from the domain. We scheduled a time to reformat and reload the system and left it alone. The error it kept throwing was the standard "I don’t know what you’re trying to do, but you’re doing it wrong":
The next symptom was when a raft of new systems came in and we began setting them up on the network. The new systems were also unable to successfully join the domain, with the same error.
In what I initially thought was an unrelated issue, we noticed that our drive mappings were not working on our Openfiler appliance: Our domain credentials were no longer accepted on the appliance that is joined to our same domain. If the mapped drive was disconnected, it prompted for user credentials on reconnect (and the username and password were rejected).
After significant head bashing and going through our smb.conf with a fine toothed comb (again), I tried 'one last' thing: I typed the domain name into the workstation I was trying to join up all
So I went to another system that wouldn’t join the domain and tried the same test. Same result, joined right up, no problem.
Ok, so I figured there must be a new service pack or hotfix from Microsoft that affected how the workstations send the domain name.
Then I tried an experiment on the Openfiler – I tried to access the share using openfiler as the domain (using my domain login and domain password that I had just changed). And I got in. There went my attempt to pin the blame Microsoft – between the Openfiler and Samba box, there’s no opportunity for a Windows update to have any effect whatsoever. This is a Samba issue.
So then I logged in to the Openfiler admin page, and in the Authentication page, I noticed that the domain under the "Use Windows domain controller and authentication" section was also lowercase.
I hope this overlong missive helps someone save the few hours of bashing around that it took me to figure this one out – I was stumped and I still cannot find any traffic on the Interwebs that describes this behavior.
Good luck and happy hacking!