I've set up Samba on Mac OS X to do pass through authentication to the nt domain in AD several times now. No big deal, it usually just works. Now, however, it doesn't appear to be working. Note the relevant part of the transaction below (loglevel 4). Steps to replicate: a) Add pre-Win2K account with AD Users and computers b) sudo smbpasswd -j EXAMPLE -r WINSERVER -U Administrator%passwd (happens successfully) c) in smb.conf: security = domain password server = WINSERVER nmblookup works for WINSERVER. [xserve:~] zinch% smbd -V Version 2.2.3a [xserve:~] zinch% sw_vers ProductName: Mac OS X Server ProductVersion: 10.2.3 BuildVersion: 6G30 transaction in log: [2003/01/05 16:49:38, 3] /SourceCache/samba/samba-21/source/lib/util_sock.c:open_socket_out(830) Connecting to 192.168.1.2 at port 445 [2003/01/05 16:49:38, 4] /SourceCache/samba/samba-21/source/rpc_client/cli_netlogon.c:cli_net_req_chal(221) cli_net_req_chal: LSA Request Challenge from WINSERVER to XSERVE: 965B45EE4F419A71 [2003/01/05 16:49:38, 4] /SourceCache/samba/samba-21/source/libsmb/credentials.c:cred_session_key(60) cred_session_key [2003/01/05 16:49:38, 4] /SourceCache/samba/samba-21/source/libsmb/credentials.c:cred_create(91) cred_create [2003/01/05 16:49:38, 4] /SourceCache/samba/samba-21/source/rpc_client/cli_netlogon.c:cli_net_auth2(132) cli_net_auth2: srv:\\WINSERVER acct:XSERVE$ sc:2 mc: XSERVE chal B58AF439B186C221 neg: 1ff [2003/01/05 16:49:38, 0] /SourceCache/samba/samba-21/source/rpc_client/cli_netlogon.c:cli_net_auth2(157) cli_net_auth2: Error NT_STATUS_ACCESS_DENIED [2003/01/05 16:49:38, 0] /SourceCache/samba/samba-21/source/rpc_client/cli_login.c:cli_nt_setup_creds(74) cli_nt_setup_creds: auth2 challenge failed [2003/01/05 16:49:38, 0] /SourceCache/samba/samba-21/source/smbd/password.c:connect_to_domain_password_server(1340) connect_to_domain_password_server: unable to setup the PDC credentials to machine WINSERVER. Error was : NT_STATUS_OK. [2003/01/05 16:49:38, 0] /SourceCache/samba/samba-21/source/smbd/password.c:domain_client_validate(1558) domain_client_validate: Domain password server not available. nmblookup (snipped) [xserve:~] root# nmblookup -d4 WINSERVER <snip> querying WINSERVER on 192.168.1.255 nmb packet from 192.168.1.2(137) header: id=7983 opcode=Query(0) response=Yes header: flags: bcast=No rec_avail=No rec_des=Yes trunc=No auth=Yes header: rcode=0 qdcount=0 ancount=1 nscount=0 arcount=0 answers: nmb_name=WINSERVER<00> rr_type=32 rr_class=1 ttl=300000 answers 0 char `..... hex 6000C0A80102 Got a positive name query response from 192.168.1.2 ( 192.168.1.2 ) 192.168.1.2 WINSERVER<00> I've done it this way (as far as I remember) 5-6 times- in addition to sending these directions to several folks who reported back success. Not sure what's different here. -- http://www.4am-media.com Mac OS X Consulting and Training Michael Bartosh mbartosh@4am-media.com 303.517.0272 Denver, CO "The surest way to corrupt a youth is to instruct him to hold in higher regard those who think alike than those who think differently." - -- Nietzsche Think Different.
At 5:05 PM -0800 1/5/03, Michael Bartosh wrote:>I've set up Samba on Mac OS X to do pass through authentication to >the nt domain in AD several times now. No big deal, it usually just >works. > >Now, however, it doesn't appear to be working. Note the relevant >part of the transaction below (loglevel 4). > >Steps to replicate: > > a) Add pre-Win2K account with AD Users and computers > b) sudo smbpasswd -j EXAMPLE -r WINSERVER -U Administrator%passwd > (happens successfully) > c) in smb.conf: > security = domain > password server = WINSERVER > >nmblookup works for WINSERVER.ps (to answer a couple of off list questions) I should also point out that there's no need for winbindd in this case since the system can lookup AD users via LDAP. Again- this has always worked before- so I'm a little confused. The errors again (none of which seem to have much of an answer on google) [2003/01/05 16:49:38, 3] /SourceCache/samba/samba-21/source/lib/util_sock.c:open_socket_out(830) Connecting to 192.168.1.2 at port 445 [2003/01/05 16:49:38, 4] /SourceCache/samba/samba-21/source/rpc_client/cli_netlogon.c:cli_net_req_chal(221) cli_net_req_chal: LSA Request Challenge from WINSERVER to XSERVE: 965B45EE4F419A71 [2003/01/05 16:49:38, 4] /SourceCache/samba/samba-21/source/libsmb/credentials.c:cred_session_key(60) cred_session_key [2003/01/05 16:49:38, 4] /SourceCache/samba/samba-21/source/libsmb/credentials.c:cred_create(91) cred_create [2003/01/05 16:49:38, 4] /SourceCache/samba/samba-21/source/rpc_client/cli_netlogon.c:cli_net_auth2(132) cli_net_auth2: srv:\\WINSERVER acct:XSERVE$ sc:2 mc: XSERVE chal B58AF439B186C221 neg: 1ff [2003/01/05 16:49:38, 0] /SourceCache/samba/samba-21/source/rpc_client/cli_netlogon.c:cli_net_auth2(157) cli_net_auth2: Error NT_STATUS_ACCESS_DENIED [2003/01/05 16:49:38, 0] /SourceCache/samba/samba-21/source/rpc_client/cli_login.c:cli_nt_setup_creds(74) cli_nt_setup_creds: auth2 challenge failed [2003/01/05 16:49:38, 0] /SourceCache/samba/samba-21/source/smbd/password.c:connect_to_domain_password_server(1340) connect_to_domain_password_server: unable to setup the PDC credentials to machine WINSERVER. Error was : NT_STATUS_OK. [2003/01/05 16:49:38, 0] /SourceCache/samba/samba-21/source/smbd/password.c:domain_client_validate(1558) domain_client_validate: Domain password server not available. -- http://www.4am-media.com Mac OS X Consulting and Training Michael Bartosh mbartosh@4am-media.com 303.517.0272 Denver, CO "The surest way to corrupt a youth is to instruct him to hold in higher regard those who think alike than those who think differently." - -- Nietzsche Think Different.