x123.net

This week for a some reason almost all of our Samba 2.2.7 AIX servers stopped working. We have domain with 2003R2 domain controllers and for some reason all our attempts to join these Samba servers to the domain gave us:

server:/> smbpasswd -j SCC_NT -U Administrator
Passowrd:
Error connecting to DC - NT_STATUS_ACCESS_DENIED
Unable to join domain DOMAIN

After couple of fights with our System Engineering department and intensive googling I’ve found a solution. Original post could be found here:

http://lists.samba.org/archive/samba/2003-May/066356.html

I just changed registry value on one of our domain controllers and specify it the smbpasswd command:

server:/> smbpasswd -j SCC_NT -U Administrator -r DC2
Password:
Joined domain DOMAIN.

Hooray! Our engineers promised me to upgrade Samba to 3.0 there soon (this is another solution for this problem), but on AIX 5.1 for some reason Samba 3.0 doesn’t work properly.

Here is the mirror of this great knowledge from the link above :)

> So, W2K doesn’t need SMB-packets signatures and we have no problems, but we
> want it to work with Windows 2003. What’s the difference between Windows 2000
> and Windows 2003 when it comes to security signatures of SMB-packets?

By default, a Windows Server 2003 requires signature of SMB packets (at least, a Windows Server 2003 DC).

> Can we disable signatures in Windows 2003 Server or do we have to make
> some changes in Red Hat/Samba? Is ther another way to get around this
> problem?

Yes, you can look for the following security option

Microsoft network server: Digitally sign commnunications (always) :

and set it to Disabled, instead of Enabled.

This security option modifies the following registry value:

Key: HKLM\SYSTEM\CCS\Service\lanmanserver\parameters\
Value: RequireSecuritySignature
Content: 0 to disable, 1 to enable

If you don’t want to reboot after that change, you can stop the srv.sys driver and services that depend on it using the following command:

C:\>net stop srv

Then, you can restart it, as well as the services that depend on it (in particular, netlogon)

C:\>net start srv

Jean-Baptiste Marchand

Today I got request from our MIS staff to remove about 1000 computer records from AD. Of course some script needed. Here is 5-minutes solution (use with caution!):

• Install PowerShell
• Install ActiveRoles Management Shell for Active Directory
• Put list of all computers to file. For example targets.txt
• Run powershell
• Import ActiveRoles Management Shell:

Add-PSSnapin Quest.ActiveRoles.ADManagement

• Run this:

gc C:\scripts\targets.txt| % { Get-QADComputer -name $_ } | % { Remove-QADObject -force $_.DN }

And one more time - use with extreme caution. Be sure you are removing exactly what you need.

This is one from my old videos (filmed circa 2004-2005) filmed on my old camcorder. It was made through the window with screen and heavily encoded so it kinda sucks. But it is rare - I never saw something like this before.

It is like good tradition to write first post in brand new blog. It’s like put first note in brand new moleskine. I spent almost a day before write something in it.

Right now it is almost 10 minutes after this blog creation, so here it is - first scratch :)