Cannot join XP SP2 machine to Tiger 10.4.8 PDC – bad username and password

[papastanley]

Hi,

I have a 10.4.8 OS X Server/Xserve and have been running Windows Services fine for filesharing, having LDAP for the user directory.

I recently turned on the PDC feature and WINS to manage a domain, so I can get off my ailing Novell server for authentication and login scripts. I’m not binding to anything external – I just want a PDC managing a domain using my LDAP userlist for authentication. I have a clean install Xp SP2 + patches windows box called gislab-master.

[b]The Problem? – I cannot join XP SP2 boxes to the domain – bad username and password.[/b]

I have amended the SignorSeal registry entry on the XP box, and tried disabling the various password encrypting aspects of the local Security Policy individually – “bad username or password”.

I tried using my regular admin user account which I have to provide in WGM to change the PDC Domain name – “bad username and password”.

I tried using a root user setup using [b]smbpasswd[/b] in Terminal on the server – “bad username and password”.

I tried using a new full server admin (ie admin server, admin directory etc) user setup fresh in WGM theoretically for the purpose of only joining machines to the domain – “bad username and password”.

I tried using the Server [b]root[/b] account after explicitly checking it works via terminal first – Domain join attempt gives me “access denied” (WTF?)

I tried setting up a WGM group, adding my admin users and then specifying a [b]domain admin group[/b] in smb.conf

I have tried adding the machine pre-emptively in WGM, then trying to join – no go.

After attempting to join the domain I get a machine entry in the WGM list of the form “gislab-master$” (my XP box name), but have not joined the domain successfully as far as the windows box is concerned.

There’s heaps of chat about this kind of issue in the *nix groups from 2-4 years ago, but very little for OS X – I’ve spent hours trawling the Net reading everything I can find – every thread I’ve found dealing with this issue does not ever arrive at a solution for those concerned, including the various ones here –

I’m gonna say it out loud – Does OSX Tiger standalone PDC and XP clients JUST NOT WORK!?!

I have a 800 line level 10 machine specific smbd log for an attempt with nothing obvious I can see wrong with it, but then I’m no expert (obviously) If someone who’s used to looking at these could have a look at it that’d be great.

My smb.conf global section…

[code]
[global]
encrypt passwords = yes
workgroup = CNSFSEIT-Dom
display charset = UTF-8-MAC
security = user
domain admin group = @pdcadmin
deadtime = 5
log file = /var/log/samba/log.%m
guest account = unknown
add machine script = /usr/bin/opendirectorypdbconfig -c create_computer_account -r %u $
add user script = /usr/bin/opendirectorypdbconfig -c create_user_account -r %u -n “/LD$
preferred master = yes
defer sharing violations = no
allow trusted domains = no
netbios name = tesla
lanman auth = YES
vfs objects = darwin_acls
wins support = yes
brlm = yes
max smbd processes = 0
server string = Faculty of Science Mac OS X Server
logon drive = H:
os level = 20
domain logons = yes
passdb backend = opendirectorysam guest
dos charset = CP437
unix charset = UTF-8-MAC
auth methods = guest opendirectory
local master = yes
domain master = yes
map to guest = Never
use spnego = yes
printer admin = unknown, @staff
logon path = \\%N\profiles\%u
ntlm auth = YES
log level = 1
[/code]

Some log items – I’d like someone to see if it looks normal (log level 10) please?

Firstly – NT user token: (NULL) – is that right?

[quote][2007/02/05 17:53:01, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/process.c:switch_message(886)
switch message SMBnegprot (pid 14095) conn 0x0
[2007/02/05 17:53:01, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/sec_ctx.c:set_sec_ctx(300)
setting sec ctx (0, 0) – sec_ctx_stack_ndx = 0
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth_util.c:debug_nt_user_token(486)
[b] NT user token: (NULL)[/b]
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth_util.c:debug_unix_user_token(505)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/smbd/uid.c:change_to_root_user(296)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2007/02/05 17:53:01, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/negprot.c:reply_negprot(461)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2007/02/05 17:53:01, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/negprot.c:reply_negprot(461)
Requested protocol [LANMAN1.0]
[2007/02/05 17:53:01, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/negprot.c:reply_negprot(461)
Requested protocol [Windows for Workgroups 3.1a]
[2007/02/05 17:53:01, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/negprot.c:reply_negprot(461)
Requested protocol [LM1.2X002]
[2007/02/05 17:53:01, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/negprot.c:reply_negprot(461)
Requested protocol [LANMAN2.1]
[2007/02/05 17:53:01, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/negprot.c:reply_negprot(461)
Requested protocol [NT LM 0.12]
[2007/02/05 17:53:01, 10] /SourceCache/samba/samba-100.5/samba/source/lib/util.c:set_remote_arch(1952)
set_remote_arch: Client arch is ‘Win2K’
[2007/02/05 17:53:01, 6] /SourceCache/samba/samba-100.5/samba/source/param/loadparm.c:lp_file_list_changed(2711)
lp_file_list_changed()
file /private/etc/smb.conf -> /private/etc/smb.conf last mod_time: Mon Feb 5 17:52:06 2007[/quote]

– next the spegno setup – “module guest did not want to specify a challenge” – is this right?

[quote] Doing spnego session setup
[2007/02/05 17:53:01, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/sesssetup.c:reply_sesssetup_and_X_spnego(620)
NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
[2007/02/05 17:53:01, 10] /SourceCache/samba/samba-100.5/samba/source/lib/util.c:set_remote_arch(1952)
set_remote_arch: Client arch is ‘WinXP’
[2007/02/05 17:53:01, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/sesssetup.c:reply_spnego_negotiate(498)
Got OID 1 3 6 1 4 1 311 2 2 10
[2007/02/05 17:53:01, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/sesssetup.c:reply_spnego_negotiate(501)
Got secblob of size 40
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:make_auth_context_subsystem(561)
Using specified auth order
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(49)
Attempting to register auth backend rhosts
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(61)
Successfully added auth method ‘rhosts’
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(49)
Attempting to register auth backend hostsequiv
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(61)
Successfully added auth method ‘hostsequiv’
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(49)
Attempting to register auth backend sam
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(61)
Successfully added auth method ‘sam’
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(49)
Attempting to register auth backend sam_ignoredomain
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(61)
Successfully added auth method ‘sam_ignoredomain’
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(49)
Attempting to register auth backend unix
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(61)
Successfully added auth method ‘unix’
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(49)
Attempting to register auth backend winbind
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(61)
Successfully added auth method ‘winbind’
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(49)
Attempting to register auth backend smbserver
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(61)
Successfully added auth method ‘smbserver’
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(49)
Attempting to register auth backend trustdomain
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(61)
Successfully added auth method ‘trustdomain’
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(49)
Attempting to register auth backend ntdomain
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(61)
Successfully added auth method ‘ntdomain’
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(49)
Attempting to register auth backend guest
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(61)
Successfully added auth method ‘guest’
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:load_auth_module(439)
load_auth_module: Attempting to find an auth method to match guest
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:load_auth_module(464)
load_auth_module: auth method guest has a valid init
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:load_auth_module(439)
load_auth_module: Attempting to find an auth method to match opendirectory
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/lib/module.c:smb_probe_module(101)
Probing module ‘opendirectory’
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/lib/module.c:smb_probe_module(112)
Probing module ‘opendirectory’: Trying to load from /usr/lib/samba/auth/opendirectory.so
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(49)
Attempting to register auth backend opendirectory
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:smb_register_auth(61)
Successfully added auth method ‘opendirectory’
[2007/02/05 17:53:01, 2] /SourceCache/samba/samba-100.5/samba/source/lib/module.c:do_smb_load_module(63)
Module ‘/usr/lib/samba/auth/opendirectory.so’ loaded
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:load_auth_module(464)
load_auth_module: auth method opendirectory has a valid init
[2007/02/05 17:53:01, 3] /SourceCache/samba/samba-100.5/samba/source/libsmb/ntlmssp.c:debug_ntlmssp_flags(62)
Got NTLMSSP neg_flags=0xe2088297
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_NEGOTIATE_OEM
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_LM_KEY
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
[b][2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:get_ntlm_challenge(99)
auth_get_challenge: module guest did not want to specify a challenge
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:get_ntlm_challenge(99)
auth_get_challenge: module opendirectory did not want to specify a challenge
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:get_ntlm_challenge(139)
auth_context challenge created by random[/b]
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/auth/auth.c:get_ntlm_challenge(140)
challenge is:
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/lib/util.c:dump_data(1977)
[000] 6A 00 08 3D 3D 9B B9 6D j..==..m
[2007/02/05 17:53:01, 6] /SourceCache/samba/samba-100.5/samba/source/lib/util_sock.c:write_socket(465)
write_socket(23,336)
[2007/02/05 17:53:01, 6] /SourceCache/samba/samba-100.5/samba/source/lib/util_sock.c:write_socket(468)
write_socket(23,336) wrote 336
[2007/02/05 17:53:01, 10] /SourceCache/samba/samba-100.5/samba/source/lib/util_sock.c:read_smb_length_return_keepalive(521)
got smb length of 382
[2007/02/05 17:53:01, 6] /SourceCache/samba/samba-100.5/samba/source/smbd/process.c:process_smb(1090)
got message type 0x0 of len 0x17e
[2007/02/05 17:53:01, 3] /SourceCache/samba/samba-100.5/samba/source/smbd/process.c:process_smb(1091)
Transaction 2 of length 386
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/lib/util.c:show_msg(464)
[2007/02/05 17:53:01, 5] /SourceCache/samba/samba-100.5/samba/source/lib/util.c:show_msg(474)
size=382[/quote]

I have the full log available if anybody would like to see the whole thing – mail me stevenDOTstanleyATjcuDOTeduDOTau

Thought this would be simple as it’s a feature that supposed to have been on OS X since 10.2, more or less – 4 days later… ;-(

Any help would be greatly appreciated – stuck between sorting this or continuing to run an old Novell server with a busted mirror system drive in my mission critical Lab – not good. I know my crisis is not your crisis, but I’m hoping someone more experienced than I can point the finger at the problem.

TIA

Steven

[arekdreyer]

Did you see this thread?
[url]https://www.afp548.com/forum/viewtopic.php?showtopic=16099[/url]

[papastanley]

I didn’t – but I have just fairly thoroughly skimmed through it – two things though…

1. I’m not binding to an Active Directory Domain – just running a PDC on my xServe

2. I’m not running an Intel Xserve, but a first Gen G4 Xserve – they reckon it’s a problem with the Intel build.

So I’m not so sure this is my problem – though it sounds similar – can anybody confirm they’ve seen the same problem (and fixed it with that script) on a standalone PPC server running as a PDC?

Thanks for the suggestion though

What would be really helpful would be if someone could post their working smb.conf file, and also a screenshot of their XP client Local Security policy settings, from a working OS X Server PDC and XP client.

Steven

[mosx86]

I am having a similar issue which started after I changed the domain name of the PDC.

Steps I’ve taken to correct the issue include:

Rolling the PDC back to standalone server and then promoting back to PDC.

Removing the /etc/smb.conf, /var/samba, and /var/db/samba/secrets.tbd files and reconfiguring the server from scratch.

Creating a new directory admin users to attempt binding with.

All have been met with no success.

My server and domain SID’s match.

One [url=http://lists.apple.com/archives/macos-x-server/2005/Aug/msg00621.html]solution[/url] that I have seen floating around is this::

/usr/bin/opendirectorypdbconfig -c set_authenticator -r admin-name -p xxxxx -n /LDAPv3/127.0.0.1

I haven’t had a chance to give this a try as the man page for opendirectorypdbconfig is no help in trying to figure out the flags. I’m assuming admin-name is the username for your diradmin account and I’m not sure if there’s a way to have the command prompt for the password rather than including it in the command.

Perhaps someone here has worked with this…

[papastanley]

I haven’t had a solution yet – had to leave it and run with what I had, time was getting too tight.

I did however find this (link below) which maybe has some bearing, but didn’t fix my problem though – you mention the SID issue – this shows you where to check if [b]all[/b] the SID entries are matching. There may be two plists which don’t match – perhaps a bug with the SMB controls in WGM not writing to both plists?

Mine were not matching, but once I fixed them the problem still remained. Cannot authorise a domain join from a Windows XP box.

FYI in case this helps your situation…

[url]http://www.radiotope.com/writing/?p=61#comment-1440[/url]

My fallbackplan is to use pGina instead of the Windows login, and point it at the LDAP server on my OS X box.

I’ll let you know how this works when I get to it.

good luck!

.:S:.

[mosx86]

[QUOTE][u]Quote by: papastanley[/u][p]I haven’t had a solution yet – had to leave it and run with what I had, time was getting too tight.

I did however find this (link below) which maybe has some bearing, but didn’t fix my problem though – you mention the SID issue – this shows you where to check if [b]all[/b] the SID entries are matching. There may be two plists which don’t match – perhaps a bug with the SMB controls in WGM not writing to both plists?

Mine were not matching, but once I fixed them the problem still remained. Cannot authorise a domain join from a Windows XP box.

FYI in case this helps your situation…

[url]http://www.radiotope.com/writing/?p=61#comment-1440[/url]

My fallbackplan is to use pGina instead of the Windows login, and point it at the LDAP server on my OS X box.

I’ll let you know how this works when I get to it.

good luck!

.:S:.[/p][/QUOTE]

Thanks for the suggestion and link. One of the plists in WGM did not have the proper SID. After that I was able to promote the SMB service to PDC using my diradmin username and password and can now bind windows hosts to the domain.

[Author]

Posts