samba - Dec 2004 - WinXP and Samba PDC Auth Problem

I have been running a Samba PDC with Samba version 3.0.0
on Redhat 7.3 for quite some time.  My WinXP Pro SP2 system is part
of the domain and everything has been working just peachy.  And then,
of course, I had to tinker with it.
 	I upgraded the linux box to Whitebox Linux 3.0, a derivative
of Redhat Enterprise Linux 3.0.  It comes with Samba 3.0.7.  After
installing and updating everything, I brought over the entire contects
of my /etc/samba directory and loaded a previously saved LDIF file for
my LDAP server (which samba authenticates to).  No changes were made in
any of these files and no changes were made on the WinXP box.  If I
do an "smbclient -L <linux-box-name>" it prompts me for a
password, which
is accepted, and a list of shares is presented.  If I do the same thing
using the WinXp's name, I get:

session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

If I attempt to log in with a domain account on the XP box, I get a dialog 
box that says:
"Windows could not connect to the domain, either because the domain 
controller is down, of otherwise unavailable, or because your computer
account was not found."

I *AM* able to remove the XP machine from the domain and re-add it without
incident.  Or at least, I get the "Welcome to the PANDORANET Domain" 
message when adding it so I'm assuming the kali$ machine account is being 
properly found.

I suspect that this has something to do with the schannel settings.  Samba 
reports that all 4 settings are currently set to "Auto" which seems to
be
the ideal setting.  The first thing I tried was the registry change for 
signorseal to 0, but that had no affect.  Currently, under the Local 
Security settings, I have for what I believe are the pertinent settings:

Domain member: Digitally encrypt or sign secure channel data (always): 
Enabled

Domain member: Digitally encrypt secure channel data (when possible): 
Enabled

Domain member: Digitally sign secure channel data (when possible): Enabled

Microsoft Network Client:  Digitally sign communications (always): 
Disabled

Microsoft Network Client:  Digitally sign communications (if server 
agrees): Enabled

Microsoft Network Server: Digitally sign communications (always): Disabled
Microsoft Network Server: Digitally sign communications (if server 
agrees): Enabled


Anyone have any ideas?  I've been tearing my hair out over this all 
weekend!

-----------------------------------------------------------------
Aaron Smith             		vox: 269.226.9550 ext.26
Network Director        		fax: 269.349.9076 
Nexcerpt, Inc.          		http://www.nexcerpt.com

 	...Nexcerpt... Extend Your Expertise

Some further information.  If I go on to the XP machine, and
pull up the Security and Sharing information for the
Documents and Settings directory for my domain user, instead
of seeing the normal blue user icon and a name like DOMAIN\user
I see a greyed out icon with a red question mark and then the
SID for my domain user account.  If I try to Add a user, and tell
XP to list all available objects, I get a list of all the various
users and groups so it *CAN* read the information from the
Samba server.  Curiouser and curiouser...

-----------------------------------------------------------------
Aaron Smith             		vox: 269.226.9550 ext.26
Network Director        		fax: 269.349.9076 
Nexcerpt, Inc.          		http://www.nexcerpt.com

 	...Nexcerpt... Extend Your Expertise

On Sun, 5 Dec 2004, Aaron Smith wrote:
> 	I have been running a Samba PDC with Samba version 3.0.0
> on Redhat 7.3 for quite some time.  My WinXP Pro SP2 system is part
> of the domain and everything has been working just peachy.  And then,
> of course, I had to tinker with it.
> 	I upgraded the linux box to Whitebox Linux 3.0, a derivative
> of Redhat Enterprise Linux 3.0.  It comes with Samba 3.0.7.  After
> installing and updating everything, I brought over the entire contects
> of my /etc/samba directory and loaded a previously saved LDIF file for
> my LDAP server (which samba authenticates to).  No changes were made in
> any of these files and no changes were made on the WinXP box.  If I
> do an "smbclient -L <linux-box-name>" it prompts me for a
password, which
> is accepted, and a list of shares is presented.  If I do the same thing
> using the WinXp's name, I get:
>
> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
>
> If I attempt to log in with a domain account on the XP box, I get a dialog 
> box that says:
> "Windows could not connect to the domain, either because the domain 
> controller is down, of otherwise unavailable, or because your computer
> account was not found."
>
> I *AM* able to remove the XP machine from the domain and re-add it without
> incident.  Or at least, I get the "Welcome to the PANDORANET
Domain" message
> when adding it so I'm assuming the kali$ machine account is being
properly
> found.
>
> I suspect that this has something to do with the schannel settings.  Samba 
> reports that all 4 settings are currently set to "Auto" which
seems to be the
> ideal setting.  The first thing I tried was the registry change for 
> signorseal to 0, but that had no affect.  Currently, under the Local
Security
> settings, I have for what I believe are the pertinent settings:
>
> Domain member: Digitally encrypt or sign secure channel data (always): 
> Enabled
>
> Domain member: Digitally encrypt secure channel data (when possible):
Enabled
>
> Domain member: Digitally sign secure channel data (when possible): Enabled
>
> Microsoft Network Client:  Digitally sign communications (always): Disabled
>
> Microsoft Network Client:  Digitally sign communications (if server
agrees):
> Enabled
>
> Microsoft Network Server: Digitally sign communications (always): Disabled
> Microsoft Network Server: Digitally sign communications (if server agrees):
> Enabled
>
>
> Anyone have any ideas?  I've been tearing my hair out over this all
weekend!
>
> -----------------------------------------------------------------
> Aaron Smith             		vox: 269.226.9550 ext.26
> Network Director        		fax: 269.349.9076 Nexcerpt, Inc. 
> http://www.nexcerpt.com
>
> 	...Nexcerpt... Extend Your Expertise
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>

One other thing, it would appear that a username is not being
sent by the XP server.  If I use smbclient to get a list of
shares on the Samba server FROM the samba server, I see this
in the log file:

[2004/12/06 10:41:12, 3] auth/auth.c:check_ntlm_password(219)
   check_ntlm_password:  Checking password for unmapped user 
[PANDORANET]\[asmith]@[CERBERUS] with the new password interface
[2004/12/06 10:41:12, 3] auth/auth.c:check_ntlm_password(222)
   check_ntlm_password:  mapped user is: [PANDORANET]\[asmith]@[CERBERUS]

But, when doing the same thing to the XP box (or when trying log in at
the XP box, I see this:

[2004/12/06 10:41:19, 3] auth/auth.c:check_ntlm_password(219)
   check_ntlm_password:  Checking password for unmapped user []\[]@[KALI] 
with the new password interface[2004/12/06 10:41:19, 3] 
auth/auth.c:check_ntlm_password(222)
   check_ntlm_password:  mapped user is: [PANDORANET]\[]@[KALI]

-----------------------------------------------------------------
Aaron Smith             		vox: 269.226.9550 ext.26
Network Director        		fax: 269.349.9076 
Nexcerpt, Inc.          		http://www.nexcerpt.com

 	...Nexcerpt... Extend Your Expertise

On Mon, 6 Dec 2004, Aaron Smith wrote:
> Some further information.  If I go on to the XP machine, and
> pull up the Security and Sharing information for the
> Documents and Settings directory for my domain user, instead
> of seeing the normal blue user icon and a name like DOMAIN\user
> I see a greyed out icon with a red question mark and then the
> SID for my domain user account.  If I try to Add a user, and tell
> XP to list all available objects, I get a list of all the various
> users and groups so it *CAN* read the information from the
> Samba server.  Curiouser and curiouser...
>

Well, I never did get any replies on this, but I have, in the interim,
discovered the problem.  So, for posterity I'm posting the answer here
in case someone else comes along with a similar problem.  The original
smb.conf from the old server included a line setting the guest account
to "smbguest".  Whereas this account existed on my old system, I had
not created it on the new system.  As soon as I created this account,
BOOM, everything started working exactly as it had before.

On Sun, 5 Dec 2004, Aaron Smith wrote:
> 	I have been running a Samba PDC with Samba version 3.0.0
> on Redhat 7.3 for quite some time.  My WinXP Pro SP2 system is part
> of the domain and everything has been working just peachy.  And then,
> of course, I had to tinker with it.
> 	I upgraded the linux box to Whitebox Linux 3.0, a derivative
> of Redhat Enterprise Linux 3.0.  It comes with Samba 3.0.7.  After
> installing and updating everything, I brought over the entire contects
> of my /etc/samba directory and loaded a previously saved LDIF file for
> my LDAP server (which samba authenticates to).  No changes were made in
> any of these files and no changes were made on the WinXP box.  If I
> do an "smbclient -L <linux-box-name>" it prompts me for a
password, which
> is accepted, and a list of shares is presented.  If I do the same thing
> using the WinXp's name, I get:
>
> session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
>
> If I attempt to log in with a domain account on the XP box, I get a dialog 
> box that says:
> "Windows could not connect to the domain, either because the domain 
> controller is down, of otherwise unavailable, or because your computer
> account was not found."
>
> I *AM* able to remove the XP machine from the domain and re-add it without
> incident.  Or at least, I get the "Welcome to the PANDORANET
Domain" message
> when adding it so I'm assuming the kali$ machine account is being
properly
> found.
>
> I suspect that this has something to do with the schannel settings.  Samba 
> reports that all 4 settings are currently set to "Auto" which
seems to be the
> ideal setting.  The first thing I tried was the registry change for 
> signorseal to 0, but that had no affect.  Currently, under the Local
Security
> settings, I have for what I believe are the pertinent settings:
>
> Domain member: Digitally encrypt or sign secure channel data (always): 
> Enabled
>
> Domain member: Digitally encrypt secure channel data (when possible):
Enabled
>
> Domain member: Digitally sign secure channel data (when possible): Enabled
>
> Microsoft Network Client:  Digitally sign communications (always): Disabled
>
> Microsoft Network Client:  Digitally sign communications (if server
agrees):
> Enabled
>
> Microsoft Network Server: Digitally sign communications (always): Disabled
> Microsoft Network Server: Digitally sign communications (if server agrees):
> Enabled
>
>
> Anyone have any ideas?  I've been tearing my hair out over this all
weekend!
>
> -----------------------------------------------------------------
> Aaron Smith             		vox: 269.226.9550 ext.26
> Network Director        		fax: 269.349.9076 Nexcerpt, Inc. 
> http://www.nexcerpt.com
>
> 	...Nexcerpt... Extend Your Expertise
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>