Ghost Solution Suite

When configuring machines to be part of a domain, the task fails when joining the machine to the domain. In the logs on the SMB server, the join is being attempted with the user "GhostJoinDomainUser" and not the user specified in the supported domains dialog. The task does use the correct username/password combination for removing the machine from the domain, adding the machine to the domain, but not for joining the domain.

This has been an issue for quite some time (years, if you search google).

I have discovered that "GhostJoinDomainUser" is hard-coded into both ngserver.exe and ngctw32.exe. It is in fact ngctw32.exe that is sending "GhostJoinDomainUser" to the server. I discovered this by modifying the exe with a different account name. It seems that the value is in unicode, and that there is another unicode string following the username. Unfortunately, the other string did not work as a password, so I'm stuck.

Regardless, even if the password had've worked, this definitely appears to be a bug.

I'm having the same problem with the "GhostJoinDomainUser" failing to join machine to domain. The console creates the account, moves it to a specified OU if needed. Just fails the final step of adding it to domain due to security failure.

Message Edited by David Bingle on 05-09-200709:39 PM

So, the console creates GhostJoinDomainUser in the domain? And the client has a hard-coded user name and password (of an account authorized to join a domain) embedded in the executable? Is that right? And that is done to avoid the security risk of sending admin credentials to the client?

The DC is Samba, but I was recently contacted by someone using a Windows Server that was seeing the same thing in the logs.

Ok. I'm not sure where or how that user is "temporarily created and deleted". Can you please confirm that the following is what is (supposed to be?) happening?

1. Console uses provided domain admin to remove machine account ("Leave domain" in task log).
2. Console uses provided domain admin to create machine account.
3. Console uses provided domain admin to create temporary account "GhostJoinDomainUser". (note: There's no evidence in the server logs of this happening.)
4. Client uses "GhostJoinDomainUser" to join machine to domain. (note: There IS evidence in the server logs that this is being attempted, but the user doesn't exist.)
   
5. Console uses provided domain admin to remove temporary account "GhostJoinDomainUser".

There are other things that go on during the task, but are not directly related to domain activity.

I'm not seeing evidence in the logs that the domain admin is trying to create that temporary user, but I definitely do see in the logs that GhostJoinDomainUser is attempting to authenticate.

Message Edited by Tanclearas on 05-10-200709:59 AM

Message Edited by Tanclearas on 05-10-200710:00 AM

I have a Windows 2003 AD Domain.

Tanclearas, did you have these problems with GSS 1.1? If not I was thinking of rolling back from GSS 2.1.

I've had this problem for a long time, and it was a problem with GSS 1, yes. I had just learned to live with it and use netdom.exe to accomplish what I need.

Kyle

---

Tanclearas wrote:

1. Console uses provided domain admin to remove machine account ("Leave domain" in task log).
2. Console uses provided domain admin to create machine account.
3. Console uses provided domain admin to create temporary account "GhostJoinDomainUser". (note: There's no evidence in the server logs of this happening.)
4. Client uses "GhostJoinDomainUser" to join machine to domain. (note: There IS evidence in the server logs that this is being attempted, but the user doesn't exist.)
   
5. Console uses provided domain admin to remove temporary account "GhostJoinDomainUser".

[...]I'm not seeing evidence in the logs that the domain admin is trying to create that temporary user, but I definitely do see in the logs that GhostJoinDomainUser is attempting to authenticate.

---

For "1", leaving the domain is done by the client machine itself. It simply unjoins without deleting the old account; clients machines have the privilege to do this on their own account.

For "2", the service on the console machine uses its own account on the domain (created when you added the domain to the list of supported domains - you supply admin privileges then to it can create a much lower-privilege account for its later use). This lower-privilege account is just a normal user with just the "Add machines to domain" right and write permissions to the "Computers" container so it can create machine accounts.

For "3", when the client service on the client machine actually gets to complete its part of the join operation, it creates a LOCAL admin user called GhostJoinDomainUser. As Krish said, that's to work around a problem in the NetJoinDomain API; in Windows 2000 there are some undocumented faults in the implementation of this API that mean it often fails in service contexts. The client service is a service, so it has administrative powers on the local machine to create this temporary local account on the machine being joined.

For "4" then, the service does a temporary login of that local user it creats in step "3", impersonates them, and calls the NetJoinDomain API supplying the credentials of the machine account on the domain that the console service precreated for it in step "2".

For "5", the client service then cleans up this temporary local account it created on the client machine (again, it implicitly has privilege to do this because it's a service running as LocalSystem).

All the things that happen during the actual join operation in step "4" are performed by that API call (Microsoft will not document the internal operation of it, and insist very firmly that we join Windows 2000 and later machine to domains by calling that API).

In order to diagnose why your server is complaining, you need to provide the logfile from C:\Windows\Debug\NetSetup.LOG on the affected client machine, just as Krish asked for. This file is maintained by the Microsoft code that we're calling so we can try and figure out what on earth it actually going wrong.

Clearly the NetJoinDomain API is passing the DC the credentials for the temporary local account instead of the credentials we specifically told it to use, but since we've never see this happen there may be some diagnostic messaging in the logfile that can help us work out why it's making this choice.

Thank you for that detailed reply!

Here are the lines from the log.

05/10 12:46:10 -----------------------------------------------------------------
05/10 12:46:10 NetpDoDomainJoin
05/10 12:46:10 NetpMachineValidToJoin: 'FOEH-W14002'
05/10 12:46:10 NetpGetLsaPrimaryDomain: status: 0x0
05/10 12:46:10 NetpMachineValidToJoin: status: 0x0
05/10 12:46:10 NetpJoinDomain
05/10 12:46:10  Machine: FOEH-W14002
05/10 12:46:10  Domain: FOED
05/10 12:46:10  MachineAccountOU: (NULL)
05/10 12:46:10  Account: (NULL)
05/10 12:46:10  Options: 0xc1
05/10 12:46:10  OS Version: 5.1
05/10 12:46:10  Build number: 2600
05/10 12:46:10  ServicePack: Service Pack 2
05/10 12:46:10 NetpValidateName: checking to see if 'FOED' is valid as type 3 name
05/10 12:46:10 NetpCheckDomainNameIsValid [ Exists ] for 'FOED' returned 0x0
05/10 12:46:10 NetpValidateName: name 'FOED' is valid for type 3
05/10 12:46:10 NetpDsGetDcName: trying to find DC in domain 'FOED', flags: 0x1020
05/10 12:46:18 NetpDsGetDcName: found DC '\\LOCKE' in the specified domain
05/10 12:46:18 NetUseAdd to \\LOCKE\IPC$ returned 1326
05/10 12:46:18 Trying add to  \\LOCKE\IPC$ using NULL Session
05/10 12:46:18 NetpJoinDomain: status of connecting to dc '\\LOCKE': 0x0
05/10 12:46:18 NetpGetLsaPrimaryDomain: status: 0x0
05/10 12:46:18 NetpLsaOpenSecret: status: 0xc0000034
05/10 12:46:18 Failed to validate machine account for FOEH-W14002 against \\LOCKE: 0xc000006d
05/10 12:46:18 NetpJoinDomain: w9x: status of validating account: 0x52e
05/10 12:46:18 NetpJoinDomain: initiaing a rollback due to earlier errors
05/10 12:46:18 NetpLsaOpenSecret: status: 0x0
05/10 12:46:19 NetpJoinDomain: rollback: status of deleting secret: 0x0
05/10 12:46:19 NetpJoinDomain: status of disconnecting from '\\LOCKE': 0x0
05/10 12:46:19 NetpDoDomainJoin: status: 0x52e
05/10 12:51:38 -----------------------------------------------------------------
05/10 12:51:38 NetpDoDomainJoin
05/10 12:51:38 NetpMachineValidToJoin: 'FOEH-W14002'
05/10 12:51:38 NetpGetLsaPrimaryDomain: status: 0x0
05/10 12:51:38 NetpMachineValidToJoin: status: 0x0
05/10 12:51:38 NetpJoinDomain
05/10 12:51:38  Machine: FOEH-W14002
05/10 12:51:38  Domain: FOED
05/10 12:51:38  MachineAccountOU: (NULL)
05/10 12:51:38  Account: (NULL)
05/10 12:51:38  Options: 0xc1
05/10 12:51:38  OS Version: 5.1
05/10 12:51:38  Build number: 2600
05/10 12:51:38  ServicePack: Service Pack 2
05/10 12:51:38 NetpValidateName: checking to see if 'FOED' is valid as type 3 name
05/10 12:51:38 NetpCheckDomainNameIsValid [ Exists ] for 'FOED' returned 0x0
05/10 12:51:38 NetpValidateName: name 'FOED' is valid for type 3
05/10 12:51:38 NetpDsGetDcName: trying to find DC in domain 'FOED', flags: 0x1020
05/10 12:51:46 NetpDsGetDcName: found DC '\\LOCKE' in the specified domain
05/10 12:51:46 NetUseAdd to \\LOCKE\IPC$ returned 1326
05/10 12:51:46 Trying add to  \\LOCKE\IPC$ using NULL Session
05/10 12:51:46 NetpJoinDomain: status of connecting to dc '\\LOCKE': 0x0
05/10 12:51:46 NetpGetLsaPrimaryDomain: status: 0x0
05/10 12:51:46 NetpLsaOpenSecret: status: 0xc0000034
05/10 12:51:46 Failed to validate machine account for FOEH-W14002 against \\LOCKE: 0xc000006d
05/10 12:51:46 NetpJoinDomain: w9x: status of validating account: 0x52e
05/10 12:51:46 NetpJoinDomain: initiaing a rollback due to earlier errors
05/10 12:51:46 NetpLsaOpenSecret: status: 0x0
05/10 12:51:46 NetpJoinDomain: rollback: status of deleting secret: 0x0
05/10 12:51:46 NetpJoinDomain: status of disconnecting from '\\LOCKE': 0x0
05/10 12:51:46 NetpDoDomainJoin: status: 0x52e
05/10 12:55:41 -----------------------------------------------------------------
05/10 12:55:41 NetpDoDomainJoin
05/10 12:55:41 NetpMachineValidToJoin: 'FOEH-W14002'
05/10 12:55:41 NetpGetLsaPrimaryDomain: status: 0x0
05/10 12:55:41 NetpMachineValidToJoin: status: 0x0
05/10 12:55:41 NetpJoinDomain
05/10 12:55:41  Machine: FOEH-W14002
05/10 12:55:41  Domain: FOED
05/10 12:55:41  MachineAccountOU: (NULL)
05/10 12:55:41  Account: (NULL)
05/10 12:55:41  Options: 0xc1
05/10 12:55:41  OS Version: 5.1
05/10 12:55:41  Build number: 2600
05/10 12:55:41  ServicePack: Service Pack 2
05/10 12:55:41 NetpValidateName: checking to see if 'FOED' is valid as type 3 name
05/10 12:55:41 NetpCheckDomainNameIsValid [ Exists ] for 'FOED' returned 0x0
05/10 12:55:41 NetpValidateName: name 'FOED' is valid for type 3
05/10 12:55:41 NetpDsGetDcName: trying to find DC in domain 'FOED', flags: 0x1020
05/10 12:55:49 NetpDsGetDcName: found DC '\\LOCKE' in the specified domain
05/10 12:55:49 NetUseAdd to \\LOCKE\IPC$ returned 1326
05/10 12:55:49 Trying add to  \\LOCKE\IPC$ using NULL Session
05/10 12:55:49 NetpJoinDomain: status of connecting to dc '\\LOCKE': 0x0
05/10 12:55:49 NetpGetLsaPrimaryDomain: status: 0x0
05/10 12:55:49 NetpLsaOpenSecret: status: 0xc0000034
05/10 12:55:49 Failed to validate machine account for FOEH-W14002 against \\LOCKE: 0xc000006d
05/10 12:55:49 NetpJoinDomain: w9x: status of validating account: 0x52e
05/10 12:55:49 NetpJoinDomain: initiaing a rollback due to earlier errors
05/10 12:55:49 NetpLsaOpenSecret: status: 0x0
05/10 12:55:49 NetpJoinDomain: rollback: status of deleting secret: 0x0
05/10 12:55:49 NetpJoinDomain: status of disconnecting from '\\LOCKE': 0x0

05/10 12:55:49 NetpDoDomainJoin: status: 0x52e

Thanks for the log.

---

05/10 12:46:18 NetUseAdd to \\LOCKE\IPC$ returned 1326
05/10 12:46:18 Trying add to \\LOCKE\IPC$ using NULL Session
05/10 12:46:18 NetpJoinDomain: status of connecting to dc '\\LOCKE': 0x0

---

What's happening here is that on the basis of what the NetJoinDomain API has found by probing the DNS and NetBIOS namespaces, it has decided that it's working against a downlevel (i.e., NT4) domain controller rather than an AD one. The above sequence of operations is part of the classic NT4 domain-join procedure, and because it uses classic SMB network it's probably inheriting some behaviour from some of the NT4 networking system.

In NT4 networking, for workgroups, in order to deal with the fact that every machine is a domain to itself what happens when making a connection to another machine is that it presents local-account credentials as if the current user's account exists in the target system. In NT4 workgroups, this means if you have an account with the same name and password on both machines, file sharing "works". This is almost certainly why you're seeing the "GhostJoinDomainUser" auth attempts against your domain, because when trying to set up the SMB-level connection to follow the NT4 path it's passing through code that implements this workgroup hack.

The question then is, why is this happening? For Windows domains, it shouldn't end up in this code path if it's not an NT4 domain.

The first thing is that the code in the NetJoinDomain API goes through different paths depending on whether the incoming domain name has a dot in it or not. So, if you can use a DNS-format name for the domain being joined, you should try that. Just by itself, that can completely alter how this API works, and may correct its behaviour.

The second thing to check is whether you do have the right DNS SRV records for your DC that satisfies this API, because there are a few of them under the _msdcs subdomain that need to be present (some background on this is here, or here, and the dcdiag tool can help test the DNS setup).

A third possibility is that if the DNS records are present, there are startup timing issues affecting whether the records are being found. That's complicated to diagnose, though, so check the first two first. The fact the NetBIOS side of things works suggests this isn't timing-related.

Samba is a completely different deal: I've not done any work with Samba as a DC working in conjunction with GSS to know whether there are any issues with it specifically. From a quick scan of the Samba3 docs, one does have to use the old NT4 joining procedure with Samba, but it seems that the code which does this in NetJoinDomain is interacting badly with the SMB session manager because of this temporary local account.

Probably we'll need to try and set up a Samba3 domain here to test this with, and then do some experimenting with different scenarios to see what we can work out. However, that will be something that requires management approval, which we'll have to look at getting next week. I'll try and have this discussion with them on our Monday and see what's going to be possible.

I've been trying to use netdom with the GSS console. What syntax are you using to join a computer to the domain using a task and netdom.exe?

Thanks,
~Dave

C:\WINDOWS\NETDOM.EXE JOIN %COMPUTERNAME% /DOMAIN:YOUR_DOMAIN /UserD:domain_admin_account /PasswordD:domain_admin_password /Reboot

Hi,

Are you sure it's not a problem with the machine account already existing on the domain?  are you using sysprep before this happens?  I had the problem when sysprep joined the machine to the domain then ghost tried to straight after, the error stated that it could not join due to a bad username or password.  I have managed to solve the problem by getting sysprep to join a workgoup instead.

See my post here https://forums.symantec.com/syment/board/message?board.id=109&message.id=6701

cheers,
Adam