Windows login to 10.4 through AD

[naubur]

I feel like I have seen so many similar posts, tried so many different solutions, but I still cannot get this to work reliably.

Samba log always says:
NT_STATUS_WRONG_PASSWORD
User "jnaubur" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14090) 🙁
check_ntlm_password: Authentication for user [jnaubur] -> [jnaubur] FAILED with error NT_STATUS_WRONG_PASSWORD

I have tried so many things, read so many posts, did so many searches that I don’t even know where to start anymore.

Then magically it starts working (used to be stopping and starting the services, but now even that doesn’t work) for a few minutes. About a month ago it worked for about 4 weeks straight. Here is the last successful log:

User "jnaubur" authenticated successfully with "dsAuthMethodStandard:dsAuthSMBNTKey" 🙂
check_ntlm_password: authentication for user [jnaubur] -> [jnaubur] -> [jnaubur] succeeded
nauburj (172.17.8.52) connect to service IS initially as user jnaubur (uid=1831784525, gid=848649075) (pid 1824)
check_ntlm_password: authentication for user [jnaubur] -> [jnaubur] -> [AD\jnaubur] succeeded
nauburj (172.17.8.52) connect to service IS initially as user AD\jnaubur (uid=1831784525, gid=848649075) (pid 1914)
check_ntlm_password: authentication for user [jnaubur] -> [jnaubur] -> [AD\jnaubur] succeeded

Then suddenly: poof. No more luck – only worked for like 5 minutes and not again since.

domain_client_validate: unable to validate password for user jnaubur in domain AD to Domain controller \\servername. Error was NT_STATUS_ACCESS_DENIED.
User "jnaubur" failed to authenticate with "dsAuthMethodStandard:dsAuthSMBNTKey" (-14090) 🙁
check_ntlm_password: Authentication for user [jnaubur] -> [jnaubur] FAILED with error NT_STATUS_WRONG_PASSWORD

I am really pulling out my hair here.

Setup:

Windows 2003 Active directory
3 OSX 10.4 servers, 1 metadata, 2 fileserving – I am trying to log into one of the fileservers.
250 PC users
150 Mac users
xSan
DNS seems to work fine
played with SMB.conf a bit (i think the last time it worked was immediately after adding an entry in the line: auth methods = guest [added: ntdomain] opendirectory.

The server that I am working on is only in very low production so i can play around a fair bit. Our old and stilll in use system is Netware, and this OSX server was supposed to replace it in a few months – this is a huge block for that to happen.

Please help.

Jason Naubur

[corpo]

I’m having a similar problem. When you can’t login, can you still see the active directory users? (easiest way to check is to type ‘id jnaubur’ in the terminal) Also – is the mac server still visible to the Windows network? To determine that use smbfind – it lists all the machines in the windows network that are registered – you’ve got a fair sized network, so I’d grep the output for your server’s name (e.g smbfind | grep ).

I managed to determine that the problem that we are (still) having was actually two separate problems – the first was that the xserve was disappearing from the windows network – which yielded errors similar to what you posted. That problem was caused by the windows name service daemon on the xserve crashing randomly, and I solved it by writing a little shell script that checks to see if the daemon is running every 5 minutes, and if it isn’t, starts it up again – i’ll post the code below. Someone else on this forum wrote a similar script – but it would actually restart the whole windows service, which isn’t necessary, and could very likely disrupt active connections (which don’t need nmbd to maintain connectivity).

Anyway, if you find that the xserves are disappearing from the windows network, add this script to (root’s) crontab (you’ll probably have to do it for all three machines) – and that will solve at least one of the problems. The other problem I’m having is described in this post. Let me know if you’re experiencing similar issues, and perhaps we can come up with an answer.

—kick-nmbd.sh—
[code]
#!/bin/sh

ps -auxw | grep `cat /var/run/nmbd.pid` | grep nmbd > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo “nmbd crashed – dispensing swift kick in the ass”
/usr/sbin/nmbd -D
echo “kick dispensed – happy sharing!”
else
echo “windows service is running smoothly!”
fi
[/code]

don’t forget to chmod +x the script!

[naubur]

Aah, so long ago, and thanks for the reply. We managed to get an incident with Apple support. After a long, long, long process in testing all sorts of things it came down to our Active Directory being kinda screwy. Replication not happening, servers in the wrong sites, and old servers that had not been properly DCPromo’d when taken offline. Microsoft premium support cleared all that up. Then the machine accounts couldn’t read the permissions from user accounts, so fixed that (again an AD thing) and it is pretty good now.

Again, all my problems were from the AD. Our Windows machines were pretty free from any problems, the OSX servers really hated the inconsistencies.

Now we will be testing out the ACLs, but authentication is sweet, with SSO and all that for Macs and Windows machines.

Anyways just wanted to post here for others what caused our problems and to look past the OSX server, as we didn’t.

Jason

[Author]

Posts