Lars Scheiter
2004-Jun-11 11:08 UTC
[Samba] "credentials check wrong" only with Windows NT4 Clients
Hi,
we tried to migrate an NT4 Domain to Samba3.0.4. We took the easy aproach and
started to dump the NT PW Database with "pwdump" and the groups with
"addusers" which were used to build the initial LDAP DB for the Samba
Server.
The SID was set and the Samba PDC was started as a replacement for the NT
one.
Loggin on to the Domain with Windows 200x and XP machines works flawlessly so
far, no need to rejoin the domain. But existing NT4 with Servicepack 6
Servers refuse to connect to the new Samba Domain. The following error
message appears:
"The system cannot log you on to this domain because the system's
computer
account in its primary domain is missing or the password on that account is
incorrect".
The error message Samba produces is as follows:
[2004/06/11 10:45:43, 4] libsmb/credentials.c:cred_session_key(59)
cred_session_key
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_session_key(61)
clnt_chal: 350AACEBF04D5235
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_session_key(62)
srv_chal : 165865D394A09AA6
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_session_key(63)
clnt+srv : 4B6211BF84EEECDB
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_session_key(64)
sess_key : 2B91328B239AE687
[2004/06/11 10:45:43, 4] libsmb/credentials.c:cred_create(90)
cred_create
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_create(92)
sess_key : 2B91328B239AE687
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_create(93)
stor_cred: 350AACEBF04D5235
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_create(94)
timestamp: 0
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_create(95)
timecred : 350AACEBF04D5235
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_create(96)
calc_cred: B81E845AE6063ECA
[2004/06/11 10:45:43, 4] libsmb/credentials.c:cred_assert(121)
cred_assert
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_assert(123)
challenge : 7A15BB4592D4AAEB
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_assert(124)
calculated: B81E845AE6063ECA
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_assert(133)
credentials check wrong
[2004/06/11 10:45:43, 5] rpc_parse/parse_prs.c:prs_debug(82)
000000 net_io_r_auth_2
[2004/06/11 10:45:43, 6] rpc_parse/parse_prs.c:prs_debug(82)
000000 smb_io_chal
[2004/06/11 10:45:43, 5] rpc_parse/parse_prs.c:prs_uint8s(722)
0000 data: 20 f6 ff bf a8 cb 38 08
[2004/06/11 10:45:43, 6] rpc_parse/parse_prs.c:prs_debug(82)
000008 net_io_neg_flags
[2004/06/11 10:45:43, 5] rpc_parse/parse_prs.c:prs_uint32(635)
0008 neg_flags: 400001ff
[2004/06/11 10:45:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
000c status: NT_STATUS_ACCESS_DENIED
Well the computers account is present in the Database, it was also dumped via
"pwdump" and added to the LDAP DB. In fact with Win2K and higher
everythings
working. Since nobody else seems to have this particular Problem in
conjunction with Windows NT4 (well google hastnt one in his Database), i try
to ask the List.
To be precise everything else in this Domain seems to work, we got the right
group information and every user can Login and has is own profile, well
except if logged in from a windows NT4 workstation.
The only possible solution to this problem was to quit the machine from the
Domain and rejoin it immediately (i.e. without a reboot), but for a rollout
this is not practicable :(
If anybody needs further information i may send complete Logs and
configurations.
Thanks in advance
Lars
Apparently Analagous Threads
- Authentication only on NT Boxes not accepted
- 3.0.7 net join to NT4 domain - silently fails?
- Samba PDC - Adding machine to domain
- Smbldap tools blocks when using net rpc vampire to migrate accounts from the NT4 PDC to the SambaLdap BDC
- 3.0.7 joining NT4 domain: no go
Wisdom of the Ancients
