samba - Jan 2003 - security = domain and Mac OS X

I've set up Samba on Mac OS X to do pass through authentication to 
the nt domain in AD several times now. No big deal, it usually just 
works.

Now, however, it doesn't appear to be working. Note the relevant part 
of the transaction below (loglevel 4).

Steps to replicate:

	a) Add pre-Win2K account with AD Users and computers
	b) sudo smbpasswd -j EXAMPLE -r WINSERVER -U Administrator%passwd
		(happens successfully)
	c) in smb.conf:
		security = domain
		password server = WINSERVER

nmblookup works for WINSERVER.

[xserve:~] zinch% smbd -V
Version 2.2.3a
[xserve:~] zinch% sw_vers
ProductName:    Mac OS X Server
ProductVersion: 10.2.3
BuildVersion:   6G30


transaction in log:

[2003/01/05 16:49:38, 3] 
/SourceCache/samba/samba-21/source/lib/util_sock.c:open_socket_out(830)
   Connecting to 192.168.1.2 at port 445
[2003/01/05 16:49:38, 4] 
/SourceCache/samba/samba-21/source/rpc_client/cli_netlogon.c:cli_net_req_chal(221)
   cli_net_req_chal: LSA Request Challenge from WINSERVER to XSERVE: 
965B45EE4F419A71
[2003/01/05 16:49:38, 4] 
/SourceCache/samba/samba-21/source/libsmb/credentials.c:cred_session_key(60)
   cred_session_key
[2003/01/05 16:49:38, 4] 
/SourceCache/samba/samba-21/source/libsmb/credentials.c:cred_create(91)
   cred_create
[2003/01/05 16:49:38, 4] 
/SourceCache/samba/samba-21/source/rpc_client/cli_netlogon.c:cli_net_auth2(132)
   cli_net_auth2: srv:\\WINSERVER acct:XSERVE$ sc:2 mc: XSERVE chal 
B58AF439B186C221 neg: 1ff
[2003/01/05 16:49:38, 0] 
/SourceCache/samba/samba-21/source/rpc_client/cli_netlogon.c:cli_net_auth2(157)
   cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2003/01/05 16:49:38, 0] 
/SourceCache/samba/samba-21/source/rpc_client/cli_login.c:cli_nt_setup_creds(74)
   cli_nt_setup_creds: auth2 challenge failed
[2003/01/05 16:49:38, 0] 
/SourceCache/samba/samba-21/source/smbd/password.c:connect_to_domain_password_server(1340)
   connect_to_domain_password_server: unable to setup the PDC 
credentials to machine WINSERVER. Error was : NT_STATUS_OK.
[2003/01/05 16:49:38, 0] 
/SourceCache/samba/samba-21/source/smbd/password.c:domain_client_validate(1558)
   domain_client_validate: Domain password server not available.


nmblookup (snipped)
[xserve:~] root# nmblookup -d4 WINSERVER
<snip>
querying WINSERVER on 192.168.1.255
nmb packet from 192.168.1.2(137) header: id=7983 opcode=Query(0) response=Yes
     header: flags: bcast=No rec_avail=No rec_des=Yes trunc=No auth=Yes
     header: rcode=0 qdcount=0 ancount=1 nscount=0 arcount=0
     answers: nmb_name=WINSERVER<00> rr_type=32 rr_class=1 ttl=300000
     answers   0 char `.....   hex 6000C0A80102
Got a positive name query response from 192.168.1.2 ( 192.168.1.2 )
192.168.1.2 WINSERVER<00>

I've done it this way (as far as I remember) 5-6 times- in addition 
to sending these directions to several folks who reported back 
success. Not sure what's different here.
-- 
http://www.4am-media.com
Mac OS X Consulting and Training
Michael Bartosh
mbartosh@4am-media.com
303.517.0272
Denver, CO


"The surest way to corrupt a youth is to instruct him to hold in higher
regard those who think alike than those who think differently."

- -- Nietzsche

			Think Different.

At 5:05 PM -0800 1/5/03, Michael Bartosh wrote:
>I've set up Samba on Mac OS X to do pass through authentication to 
>the nt domain in AD several times now. No big deal, it usually just 
>works.
>
>Now, however, it doesn't appear to be working. Note the relevant 
>part of the transaction below (loglevel 4).
>
>Steps to replicate:
>
>	a) Add pre-Win2K account with AD Users and computers
>	b) sudo smbpasswd -j EXAMPLE -r WINSERVER -U Administrator%passwd
>		(happens successfully)
>	c) in smb.conf:
>		security = domain
>		password server = WINSERVER
>
>nmblookup works for WINSERVER.
ps (to answer a couple of off list questions) I should also point out 
that there's no need for winbindd in this case since the system can 
lookup AD users via LDAP.

Again- this has always worked before- so I'm a little confused.

The errors again (none of which seem to have much of an answer on google)

[2003/01/05 16:49:38, 3]
/SourceCache/samba/samba-21/source/lib/util_sock.c:open_socket_out(830)
    Connecting to 192.168.1.2 at port 445
[2003/01/05 16:49:38, 4]
/SourceCache/samba/samba-21/source/rpc_client/cli_netlogon.c:cli_net_req_chal(221)
    cli_net_req_chal: LSA Request Challenge from WINSERVER to XSERVE:
965B45EE4F419A71
[2003/01/05 16:49:38, 4]
/SourceCache/samba/samba-21/source/libsmb/credentials.c:cred_session_key(60)
    cred_session_key
[2003/01/05 16:49:38, 4]
/SourceCache/samba/samba-21/source/libsmb/credentials.c:cred_create(91)
    cred_create
[2003/01/05 16:49:38, 4]
/SourceCache/samba/samba-21/source/rpc_client/cli_netlogon.c:cli_net_auth2(132)
    cli_net_auth2: srv:\\WINSERVER acct:XSERVE$ sc:2 mc: XSERVE chal
B58AF439B186C221 neg: 1ff
[2003/01/05 16:49:38, 0]
/SourceCache/samba/samba-21/source/rpc_client/cli_netlogon.c:cli_net_auth2(157)
    cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2003/01/05 16:49:38, 0]
/SourceCache/samba/samba-21/source/rpc_client/cli_login.c:cli_nt_setup_creds(74)
    cli_nt_setup_creds: auth2 challenge failed
[2003/01/05 16:49:38, 0]
/SourceCache/samba/samba-21/source/smbd/password.c:connect_to_domain_password_server(1340)
    connect_to_domain_password_server: unable to setup the PDC
credentials to machine WINSERVER. Error was : NT_STATUS_OK.
[2003/01/05 16:49:38, 0]
/SourceCache/samba/samba-21/source/smbd/password.c:domain_client_validate(1558)
    domain_client_validate: Domain password server not available.

-- 
http://www.4am-media.com
Mac OS X Consulting and Training
Michael Bartosh
mbartosh@4am-media.com
303.517.0272
Denver, CO


"The surest way to corrupt a youth is to instruct him to hold in higher
regard those who think alike than those who think differently."

- -- Nietzsche
         
			Think Different.