10.4.8 Intel – AD, Samba kerberos machine password

Dear AFP548's Hope you can help with this perplexing problem I have been experimenting with the setup of a single intel xeon Xserve running 10.4.8 in an existing windows 2000 AD Domain using the instructions laid out in Mike Bombich's Leveraging AD on Mac OS X white paper and the OS/AD integartion paper form this site.. Single Sign On seems to be workng well from the mac clients for login and afp shares (and prefrence managemnet via wgm), but samba authentication seems to be broken for Mac and PC clients. I am confident the AD server binding process has worked as i am able to logon to the server locally using an AD domain admin account and have kerberizeed access to smb shares on the existing windows 2000 servers. I have lookad at my smb.conf file and everything apers correct, dns is working properly and i have checked the domain controller group policy opjects that control encryption settings as detailed here in my smb logs i see this when i first start samba [2007/01/14 19:45:05, 2] /SourceCache/samba/samba-100.5/samba/source/lib/interface.c:add_interface(79) added interface ip=192.168.0.248 bcast=192.168.0.255 nmask=255.255.255.0 [2007/01/14 19:45:05, 2] /SourceCache/samba/samba-100.5/samba/source/lib/interface.c:add_interface(79) added interface ip=192.168.0.28 bcast=192.168.0.255 nmask=255.255.255.0 [2007/01/14 19:45:05, 2] /SourceCache/samba/samba-100.5/samba/source/lib/tallocmsg.c:register_msg_pool_usage(57) Registered MSG_REQ_POOL_USAGE [2007/01/14 19:45:05, 2] /SourceCache/samba/samba-100.5/samba/source/lib/dmallocmsg.c:register_dmalloc_msgs(71) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2007/01/14 19:45:06, 0] /SourceCache/samba/samba-100.5/samba/source/libads/kerberos.c:ads_kinit_password(146) kerberos_kinit_password host/XSERVE@MYDOMAIN.COM failed: Client not found in Kerberos database [2007/01/14 19:45:06, 0] /SourceCache/samba/samba-100.5/samba/source/printing/nt_printing.c:nt_printing_init(386) nt_printing_init: error checking published printers: WERR_ACCESS_DENIED [2007/01/14 19:45:06, 2] /SourceCache/samba/samba-100.5/samba/source/smbd/server.c:open_sockets_smbd(335) waiting for a connection and we see this in the smbd.log when the clients try to logon to smb shares on the xserve [2007/01/15 12:10:12, 2] /SourceCache/samba/samba-100.5/samba/source/passdb/pdb_interface.c:make_pdb_methods_name(654) No builtin backend found, trying to load plugin [2007/01/15 12:10:12, 2] /SourceCache/samba/samba-100.5/samba/source/lib/module.c:do_smb_load_module(63) Module '/usr/lib/samba/pdb/opendirectorysam.so' loaded [2007/01/15 12:10:12, 2] /SourceCache/samba/samba-100.5/samba/source/smbd/reply.c:reply_special(235) netbios connect: name1=XSERVE name2=CLIENTNAME [2007/01/15 12:10:12, 2] /SourceCache/samba/samba-100.5/samba/source/smbd/reply.c:reply_special(242) netbios connect: local=xserve remote=xserve, name type = 0 [2007/01/15 12:10:12, 1] /SourceCache/samba/samba-100.5/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(184) Failed to verify incoming ticket! [2007/01/15 12:10:12, 2] /SourceCache/samba/samba-100.5/samba/source/smbd/server.c:exit_server(595) Closing connections NB: the name2= is the apple computer name of the client mac and NOT the computer name of the machiine registered with AD On the windows 2000 domain controlller we see this error in the system log Event Type: Error Event Source: NETLOGON Event Category: None Event ID: 5722 Date: 15/01/2007 Time: 11:53:49 User: N/A Computer: ATLAS Description The session setup from the computer XSERVE failed to authenticate. The name of the account referenced in the security database is XSERVE$. The following error occurred: Access is denied. From all this i summise that there is a probelm with the credentials samba uses to register itself with the domain server when smaba starts. when the client tries to log on the server, cant access the AD domain server for authentication, so looks up cedentials in the local password database on the xserver and denies the connction when this check fails I found this posting which looked promising, but am vey confused as to where i am supposed to modify the secrets.tdb file, i have tried a few options but with no sucess anyone have an idea how i might fix this? Is this a known bug with the 10.4.8 Intel build of samba? i have seen a small number of similar postings on this list, apple's mailing list and te macenterprise list that woud suggest this is the case thanks in advane Alasdair