sesssetup.c:reply_sesssetup_and_X_spnego(620) NativeOS=[Windows 2000 2195] NativeLanMan=[Windows 2000 5.0] PrimaryDomain=[] [2006/05/05 08:47:22, 3] /SourceCache/samba/samba-92.19/samba/source/libsmb/ntlmssp.c:ntlmssp_server_auth(615) Got user=[jsmith] domain=[ADDOM] workstation=[PC4090] len1=24 len2=24 [2006/05/05 08:47:22, 3] /SourceCache/samba/samba-92.19/samba/source/auth/auth.c:check_ntlm_password(266) check_ntlm_password: Checking password for unmapped user [ADDOM]\[jsmith]@[PC4090] with the new password interface [2006/05/05 08:47:22, 3] /SourceCache/samba/samba-92.19/samba/source/auth/auth.c:check_ntlm_password(269) check_ntlm_password: mapped user is: [ADDOM]\[jsmith]@[PC4090] [2006/05/05 08:47:22, 3] /SourceCache/samba/samba-92.19/samba/source/libsmb/namequery_dc.c:rpc_dc_name(145) rpc_dc_name: Returning DC TAN (10.1.1.32) for domain ADDOM [2006/05/05 08:47:22, 3] /SourceCache/samba/samba-92.19/samba/source/libsmb/cliconnect.c:cli_start_connection(1382) Connecting to host=TAN [2006/05/05 08:47:22, 3] /SourceCache/samba/samba-92.19/samba/source/lib/util_sock.c:open_socket_out(768) Connecting to 10.1.1.32 at port 445 [2006/05/05 08:47:23, 3] /SourceCache/samba/samba-92.19/samba/source/auth/auth_util.c:make_server_info_info3(1131) User sschwart does not exist, trying to add it [2006/05/05 08:47:24, 0] /SourceCache/samba/samba-92.19/samba/source/auth/auth_util.c:make_server_info_info3(1138) make_server_info_info3: pdb_init_sam failed! [2006/05/05 08:47:24, 2] /SourceCache/samba/samba-92.19/samba/source/auth/auth.c:check_ntlm_password(367) check_ntlm_password: Authentication for user [jsmith] -> [jsmith] FAILED with error NT_STATUS_NO_SUCH_USER
10.4.6 Server & Active Directory – losing connection
I'm attempting to integrate a brand new Xserve g5 into a 100% windows server environment. This is not my network - so I have very limited access to an admin password for Active Directory. I've seen several descriptions of people with this problem on this forum, but none of the answers have helped me. My setup is as follows:
The only two services running on the machine are AFP and SMB - we want to configure the machine to do all of it's authentication via Active Directory - I have Open Directory set to "Connected to a Directory System" and the windows role is "Domain Member". As far as I can tell, Directory Access is configured properly; immediately after we bind to active directory - users on both Macs and PCs can connect and authenticate happily (we are not using Kerberos for client authentication). After about a day, nobody can authenticate with AD usernames (the one local account works fine) - the logs do not indicate any failure anywhere (i've looked at them all), except that all of a sudden, the authentication starts failing with NT_STATUS_NO_SUCH_USER. (I posted the relevant section from the log at the bottom).
Now, as I understand it, the process of binding to Active Directory involves some flavor of Kerberos authentication between the xserve and the AD server. As I understand it, Kerberos can be sensitive to system time discrepancies between two machines. So, once I learned this, I found that the clock on the server was not set to sync with a network time server, and that it was, in fact about 6 minutes off; i set the clock to sink with apple's servers. I did this today, a saturday, and therefore cannot rebind the machine to AD until Monday (we were not given even temporary admin access to get this working, hence, everytime we need the password, we have to ask someone to type it in for us). The catch is - if it unbinds itself again after we leave on Monday - we stand a fair chance of losing them as a client, and sucking up the cost of the brand new xserve we sold them (we've been struggling with this for a while now). That's a little dramatic, we may end up switching them over to local auth on the box - but it's got to support about 40 users - so it's would be a pain to maintain.
My question is, would a time discrepancy cause this random unbinding? Where else can I look? I have enabled debug mode on the DirectoryService process - so that if it does unbind itself again after we bind it, I can get a better idea of what's going on. At the moment, it's periodically attempting to connect to the AD server and returning a "No connectivity ....." message, but that doesn't really tell me anything. Any light you can shed on this topic would be greatly appreciated.
excerpt from log.smbd: