Hi...

Having a strange issue with my 10.4.5 XServe. I upgraded it from 10.3.9 around two months ago. The articles and comments here at AFP548 were extremely helpful in getting my OD users/passwords and Samba PDC identification exported and imported into my 10.4.5 clean install. Much more helpful than Apple's own enterprise tech support; in fact, I sent the Apple techie the AFP548 links so he could learn something!!!

But, I'm having a new issue. All of the sudden, I am unable to add new PCs into the domain for which the XServe is PDC (and OD Master). When I try and add a PC to the domain, I get this error message on the PC:

"The following error occurred when attempting to join the domain "UAB-CELLBIO":
Access is denied."

This happens no matter which account I use to authenticate: diradmin, root, administrator. It's not a password issue necessarily, for if I mistype the password, I get a different error to that effect.

Previously-bound PCs in this domain continue to function normally.

Each time I attempt to add a PC to the domain, I get entries in log.smbd that look like this:

[2006/03/16 10:25:44, 0] /SourceCache/samba/samba-92.15/samba/
source/rpc_server/srv_samr.c:api_samr_set_userinfo(786)
api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO.

[2006/03/16 10:25:44, 0] /SourceCache/samba/samba-92.15/samba/
source/libsmb/smbencrypt.c:decode_pw_buffer(539)
decode_pw_buffer: incorrect password length (-578941159).

[2006/03/16 10:25:44, 0] /SourceCache/samba/samba-92.15/samba/
source/libsmb/smbencrypt.c:decode_pw_buffer(540)
decode_pw_buffer: check that 'encrypt passwords = yes'

I'm good at following instructions, and so I have already verified that encrypt passwords = yes is an entry in smb.conf.

I'm not sure what to do with the "incorrect password length" error, but that may be the heart of the problem. I have tried resetting the password on the diradmin and root accounts, hoping that would correct things. No joy.

Strangely, a computer account is created and is visible in WGM for the PC I attempt to bind. So the process may be partially working.

Not surprisingly, I get similar errors when I try and set my G4 OD Replica as a BDC for this domain. The OD Replica reports that it is "unable to join the domain." The ability to have a BDC was really the main reason I upgraded to 10.4.

Apple tech support is unable to provide much help. They're giving me circular suggestions such as "demote/promote from OD Master to Standalone and back," and demote/promote from PDC to Standalone and back. Neither one of these made any difference.

I will provide many, many beers (or other preferred beverage/reward) to any Samba expert(s) who can help me navigate my way through this one.

Thanks, and happy Monday.
Eric

---

----- Sophie Arielle, born 3/17/06: www.rzeszut.com/sophie

Update:

Apple Enterprise tech support suggested stopping the Windows service, deleting the secrets.tdb file, and restarting the service, which creates a new secrets.tdb.

From previous experience, I know that this creates a new Windows domain SID, which causes the bound clients to think it's a new domain. But just for the heck of it, I backed up secrets.tdb and tried this. Same thing with the new secrets.tdb; Win clients failed to join the domain with the "access denied" error.

So then I stopped the Win service again, deleted everything in var/samba and var/db/samba EXCEPT secrets.tdb, and restarted.

Now, I'm getting a different error when I try and bind to the domain. Not sure if this is progress or not:

"The following error occurred attempting to join the domain UAB-CELLBIO:
No mapping between account names and security IDs was done."

Anyone seen this before? I found some Samba docs suggesting that the workstation name should be all lower case as a fix for this. However, it already is lower case, and this makes no difference.

Eric

---

----- Sophie Arielle, born 3/17/06: www.rzeszut.com/sophie

I'm seeing the exact same thing on 10.4.6 and it's pissing. me. off. ROYALLY!

Any updates would be most appreciated.

ive been seeing the same thing sine 10.4.6 , password changes triggers the problem, quick fix: turn samba to single server and then back to pdc, seems to fix the problem, you could also prevent users from changing passwords until apple fixes it...

things like that shouldnt happen

update: i somehow got rid of the bug after changing my password directly from os x 2 times, now i can change the password from windows and mac osx without getting the bug, it looks like samba is not monitoring the password change or the open directory ntlm hashing is (half) broken

Has anyone made progress on this yet?
My ODM / PDC was working and I was able to attach windows boxes using the diradmin account and then this: check_ntlm_password: authentication for user [diradmin] -> [diradmin] -> [diradmin] succeeded
[2007/08/23 14:08:17, 2] /SourceCache/samba/samba-100.9/samba/source/lib/module.c:do_smb_load_module(63)
Module '/usr/lib/samba/vfs/darwin_acls.so' loaded
[2007/08/23 14:08:17, 2] /SourceCache/samba/samba-100.9/samba/source/rpc_server/srv_samr_nt.c:_samr_lookup_domain(2531)
Returning domain sid for domain SSD -> S-1-5-21-1372755496-2984317980-2510722169
[2007/08/23 14:08:17, 0] pdb_ods.cdssam_getsampwnam(2329)
odssam_getsampwnam: [0]get_sam_record_attributes dsRecTypeStandard:Computers no account for 'rm111-27$'!
kDSStdAuthNewUser FAILED for account "computer-name" (-14090)
[-14090]AuthNewUser
[0]dsDeleteRecord
[2007/08/23 14:08:17, 0] pdb_ods.cdssam_getsampwnam(2329)
odssam_getsampwnam: [0]get_sam_record_attributes dsRecTypeStandard:Computers no account for 'computer-name$'!

Was hoping this was a simple SID issue, but it would appear that it's not. I'm also getting

[2007/08/23 14:07:57, 0] /SourceCache/samba/samba-100.9/samba/source/rpc_server/srv_samr.c:api_samr_set_userinfo(786)
api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO.
[2007/08/23 14:07:57, 0] /SourceCache/samba/samba-100.9/samba/source/libsmb/smbencrypt.c:decode_pw_buffer(539)
decode_pw_buffer: incorrect password length (-1997745557).
[2007/08/23 14:07:57, 0] /SourceCache/samba/samba-100.9/samba/source/libsmb/smbencrypt.c:decode_pw_buffer(540)
decode_pw_buffer: check that 'encrypt passwords = yes'

Does anyone know anything further on this?

TIA,
dave