I tried this script and it did not work.

Called Apple and was told that they are aware of the problem, so at least there is something to look forward too.

Issues like these make it really hard to reliably integrate Apple software into a windows enterprise.

The script doesn’t show any errors. The password field doesn’t show the null character after running it. Is the script supposed to ask for a new password, or does it attempt to use the existing password?

I tried this on a server I built fresh for the purpose of testing any fixes that might be available.

Greetings!

I have been struggling with an Intel Xserve bound to an Active Directory domain. It seems to pass AD account info to the AD server from authenticating Macs without any problem. However, it is flaky with Windows users. And connecting to the Xserve via SMB from Macs doesn’t work either.

I see different errors on the Tiger Server side than “at1” reported, but I do see the same errors on the Windows domain controllers (2 of them, actually).

I’m not sure about the fubarred machine password, though. When I run the tdbdump command, I don’t see the null characters, but then, I don’t see those characters on a Panther server that is also bound to the domain. That may or may not be relevant, though.

From looking at the password in the Active Directory prefences, I’m guessing that the different files encode the text differently, as they look nothing alike. I’m not slick enough to recognize if the password in the AD pref file has the null character there or not.

This sure is a pain! : )

Who at Apple mentioned the known bug with Intel 10.4.8 server? I called Apple today, but our support agreement doesn’t cover AD integration. That’s at least $699 (for one incident!). Yikes.

Good luck.

We had a problem similar to this with out test environment. It comprised of 1 Server 2003 (acting as DC,DNS,and DHCP), 1 OD master, and one osx client. AFP worked fine over the OD master just when we tried to hit any SMB share on the DC it would give us wrong username and password. Issue had to deal with a GPO on DC’s a.
if you browse to these location….MAKE SURE THEY ARE DISABLED!
Default Domain Controller Security Settings -> Security Settings -> Local Policies -> Security Options -> Microsoft network server: Digitally sign communications(always)
b. Default Domain Security Settings -> Security Settings -> Local Policies -> Security Options -> Microsoft network server: Digitally sign communications(always)

after we set these GPO location to disabled all is well with SMB/CIFS on a DC.

To Mr. Bronga,

What kind of errors were you seeing on your Xserve in the smbd log file? I’m curious if you were seeing the NETLOGON failures there as well.

So far we’ve continued to have intermittant funkyness with Windows users connecting/authenticating.

I also just checked on another Tiger server running on a G4 and the null characters are not part of the AD machine password in the secrets file. So, I have a Panther server bound to AD and a Tiger server bound to AD (both on PPC Macs) that don’t show the null character in their machine password.

However, Mr. Bronga went from not working to working by fixing that.
What do you see in your smbd logs after fixing the password?

Thanks to those that have continued to post.

-John

Tom,

Thanks for the log file posting. And, hey, kudos to you for getting it to work. “Just a teacher”. Don’t underestimate yourself. : )

Anywho, there doesn’t seem to be much difference in your log.winbindd from before and after the change. Or is there something I’m missing?

We have similar errors in our log.winbindd. I haven’t studied them long enough yet to determine any correlation between the entries there and other events (e.g.- events in the AD domain controller; Win or Mac users trying to connect via SMB). In general, we seem to have fewer entries regarding not being able to fetch the SID for the domain.

Our Windows service is also set at “Medium” logging (logging level 2 if you examine your smb.conf file). I am surprised that you don’t have any NETLOGON errors in your log.smbd, but hey, if you don’t, you don’t (have you tried to reload it? you might be asked how much data you want to see and could then look further into the past).

In Server Admin, for the Windows service and General tab, what is the role of your server? Ours is set as a Domain Member.
We don’t want our Xserve to do anything other than pass the Active Directory account information to the domain controller for authentication when accessing the shares. Generally works fine for Macs over AFP, but SMB on Macs or Windows users is off and on.

Earlier today I had to unbind the server and rebind it to the domain. There is definitely something funky with the Xserve’s computer account in the domain, but I can’t tell if it is the password null bit issue, something else entirely, or a combination.

Sigh.

Thanks for your time.

-John

Dearest Gods,

[b]I ran this, got the password:[/b]
sudo tdbdump /var/db/samba/secrets.tdb

[b]I created this with TextWrangler and saved it in /usr/bin as a executable file:[/b]
#!/usr/bin/expect -f
#Hack to change samba machine password non-interactively
set machinepw [lindex $argv 0]
spawn net -f changesecretpw
expect “password:”
send “$machinepw\r”
expect eof

[b]I ran this:[/b]
sudo changesecret $(defaults read /Library/Preferences/DirectoryService/ActiveDirectory “AD Computer Password”| /usr/bin/tr -d “< >” | /usr/bin/xxd -r -p)

[b]I ran this again but the output was simply “\00” for the password:[/b]
sudo tdbdump /var/db/samba/secrets.tdb

[b]Rebooted but the password stayed as “\00″[/b]

[b]Please, please tell me what I’m doing wrong, even if you feel the need to state the very obvious like creating the script[/b]
😐