samba - Oct 2005 - 2.2 to 3.0.x PDC upgrade: an XP box no longer authenticates domain users with the Samba PDC

Hi!

    I've recently been upgrading a Samba 2.2 installation to 3.0 (on a 
SuSE 9.3 machine, specific version is 3.0.13-1.1-SuSE). Everything went 
more or less okay, but I'm stumped on the following problem... here's 
the general setup:

    * Samba acting as a PDC (named "servidor"). Was upgraded from 2.2
to
      3.0. I copied the smb.conf file, and the passwd/shadow/smbpasswd
      files. I edited the smb.conf to match 3.0's configuration changes.
    * XP workstations, no problems there.
    * XP box running some windows-specific stuff (named "servidor_xp")
      that authenticates people connecting to it through the PDC. Had no
      problems in the 2.2 days.


    Here's what happens: the XP box no longer auths users. I checked the 
Samba log and I see this:

    [2005/10/03 18:01:04, 2] lib/access.c:check_access(324)
      Allowed connection from servidor_xp.domain.lan (192.168.0.220)
    [2005/10/03 18:01:04, 2] rpc_parse/parse_prs.c:netsec_decode(1594)
      netsec_decode: FAILED: packet sequence number:
    [2005/10/03 18:01:04, 2] lib/util.c:dump_data(1995)
      [000] 24 32 D2 AB 6B 37 A4 DA                           $2..k7..
    [2005/10/03 18:01:04, 2] rpc_parse/parse_prs.c:netsec_decode(1596)
      should be:
    [2005/10/03 18:01:04, 2] lib/util.c:dump_data(1995)
      [000] 00 00 00 00 80 00 00 00                           ........
    [2005/10/03 18:01:04, 2] lib/access.c:check_access(324)
      Allowed connection from servidor_xp.domain.lan (192.168.0.220)
    [2005/10/03 18:01:04, 2] auth/auth.c:check_ntlm_password(305)
      check_ntlm_password:  authentication for user [joe] -> [joe] ->
    [joe] succeeded


    So basically, even though Samba authenticates the user just fine, 
something wrong seems to happen with that "netsec_decode FAILED [...]"
part, which is most likely causing the authentication not to succeed. I 
googled around in mailing lists for similar stuff and I found that this 
usually relates to mismatching SIDs, but even though I know what a SID 
is, more than that goes over my head (and it might not even be related 
at all). Just for kicks, I deleted all .tdb files in /var/lib/samba so 
that Samba would recreate them (thinking that old stale SIDs were 
somehow stored there), but to no avail.

    Anyone knows what the problem is and how to solve it?

    -- Bruno Ferreira

Craig White wrote:
>On Mon, 2005-10-03 at 18:34 +0100, Bruno Ferreira wrote:
>  
>
>>[snip]
>>    
>>
>----
>just guessing - does 
>net getlocalsid
>match the SID for your domain according to the WindowsXP box?
>
>Craig
>
>  
>
    Well I eventually solved the problem by removing the XP box from the 
domain and then having it re-join. However, I still don't quite 
understand the details of what went on. "net getlocalsid" gave me a 
specific SID for the domain. I didn't know how to obtain the domain SID 
in the Windows box, but I tried sysinternals.com's NewSID. It showed me 
the same SID before and after rejoining the domain, so I really didn't 
understand what went on :(

    -- Bruno Ferreira