samba - Nov 2012 - problems with windows 2000 terminal server in AD with samba4rc5 (on Ubuntu 12.04.1 64bit) DC

Dear all,

after upgrading an existing NT4 domain, via "injecting" a samba3 LDAP
BDC to vampire security database, classicupgrade with samba-tool ...
everything seems to work like expecting, except the mentioned windows
2000 terminal server, see excerpt from log.samba file:

...
[2012/11/18 13:09:26,  0] ../source4/smbd/server.c:475(binary_smbd_main)
  samba: using 'standard' process model
[2012/11/18 14:56:10,  0]
../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error
in module acl: insufficient access rights (50)
[2012/11/18 14:56:19,  0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/11/18 15:04:41,  0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/11/18 15:07:05,  0]
../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error
in module acl: Constraint violation (19)
[2012/11/18 15:59:47,  0]
../source4/rpc_server/handles.c:102(dcesrv_handle_fetch)
  ../source4/rpc_server/handles.c:102: Attempt to use invalid sid
S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7
[2012/11/18 15:59:47,  0]
../source4/rpc_server/handles.c:102(dcesrv_handle_fetch)
  ../source4/rpc_server/handles.c:102: Attempt to use invalid sid
S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7
[2012/11/18 15:59:47,  0]
../source4/rpc_server/handles.c:102(dcesrv_handle_fetch)
...

also failed to update dns entry:
Nov 18 17:52:56 sambadc named[752]: client 192.168.12.34#57038:
request has invalid signature: TSIG 1236950581266-2
(w2000\$\@XXX.LAN): tsig verify failure (BADSIG)

I would suggest that it has something todo with the default setting of
RequireSignOrSeal or RequireStrongKey which defaults to 0 in windows
2000 afaik, but I'm not sure. Any other suggestions ?

thanks
odi

Dear all,

after upgrading an existing NT4 domain, via "injecting" a samba3 LDAP
BDC to vampire security database, classicupgrade with samba-tool ...
everything seems to work like expecting, except the mentioned windows
2000 terminal server, see excerpt from log.samba file:

...
[2012/11/18 13:09:26,  0] ../source4/smbd/server.c:475(binary_smbd_main)
  samba: using 'standard' process model
[2012/11/18 14:56:10,  0]
../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error
in module acl: insufficient access rights (50)
[2012/11/18 14:56:19,  0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/11/18 15:04:41,  0]
../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/11/18 15:07:05,  0]
../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error
in module acl: Constraint violation (19)
[2012/11/18 15:59:47,  0]
../source4/rpc_server/handles.c:102(dcesrv_handle_fetch)
  ../source4/rpc_server/handles.c:102: Attempt to use invalid sid
S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7
[2012/11/18 15:59:47,  0]
../source4/rpc_server/handles.c:102(dcesrv_handle_fetch)
  ../source4/rpc_server/handles.c:102: Attempt to use invalid sid
S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7
[2012/11/18 15:59:47,  0]
../source4/rpc_server/handles.c:102(dcesrv_handle_fetch)
...

also failed to update dns entry:
Nov 18 17:52:56 sambadc named[752]: client 192.168.12.34#57038:
request has invalid signature: TSIG 1236950581266-2
(w2000\$\@XXX.LAN): tsig verify failure (BADSIG)

I would suggest that it has something todo with the default setting of
RequireSignOrSeal or RequireStrongKey which defaults to 0 in windows
2000 afaik, but I'm not sure. Any other suggestions ?

thanks
odi