[jeg98]

I’m no expert by any means, but from some of the digging I’ve done related to my own issues (the result is similar to yours, but the errors are different), have you run any kinit commands to see what is in your kerberos ticket file (should be in \Library\Preferences\edu.mit.kerberos)?

I have trouble w/ an Xserve where Windows users want to connect to its shares, and sometimes it doesn’t work. Logs indicate that the Xserve is not successfully authenticating to the domain server, and thus can’t pass the AD authentication through to it for access. But Macs and AFP is great. I think Macs w/ Kerberos is not right, though. And/or Macs via SMB to the Xserve.

Fun, fun, fun! Good luck.

[jeg98]

Tom,

Thanks for the log file posting. And, hey, kudos to you for getting it to work. “Just a teacher”. Don’t underestimate yourself. : )

Anywho, there doesn’t seem to be much difference in your log.winbindd from before and after the change. Or is there something I’m missing?

We have similar errors in our log.winbindd. I haven’t studied them long enough yet to determine any correlation between the entries there and other events (e.g.- events in the AD domain controller; Win or Mac users trying to connect via SMB). In general, we seem to have fewer entries regarding not being able to fetch the SID for the domain.

Our Windows service is also set at “Medium” logging (logging level 2 if you examine your smb.conf file). I am surprised that you don’t have any NETLOGON errors in your log.smbd, but hey, if you don’t, you don’t (have you tried to reload it? you might be asked how much data you want to see and could then look further into the past).

In Server Admin, for the Windows service and General tab, what is the role of your server? Ours is set as a Domain Member.
We don’t want our Xserve to do anything other than pass the Active Directory account information to the domain controller for authentication when accessing the shares. Generally works fine for Macs over AFP, but SMB on Macs or Windows users is off and on.

Earlier today I had to unbind the server and rebind it to the domain. There is definitely something funky with the Xserve’s computer account in the domain, but I can’t tell if it is the password null bit issue, something else entirely, or a combination.

Sigh.

Thanks for your time.

-John

[jeg98]

To Mr. Bronga,

What kind of errors were you seeing on your Xserve in the smbd log file? I’m curious if you were seeing the NETLOGON failures there as well.

So far we’ve continued to have intermittant funkyness with Windows users connecting/authenticating.

I also just checked on another Tiger server running on a G4 and the null characters are not part of the AD machine password in the secrets file. So, I have a Panther server bound to AD and a Tiger server bound to AD (both on PPC Macs) that don’t show the null character in their machine password.

However, Mr. Bronga went from not working to working by fixing that.
What do you see in your smbd logs after fixing the password?

Thanks to those that have continued to post.

-John

[jeg98]

Greetings!

I have been struggling with an Intel Xserve bound to an Active Directory domain. It seems to pass AD account info to the AD server from authenticating Macs without any problem. However, it is flaky with Windows users. And connecting to the Xserve via SMB from Macs doesn’t work either.

I see different errors on the Tiger Server side than “at1” reported, but I do see the same errors on the Windows domain controllers (2 of them, actually).

I’m not sure about the fubarred machine password, though. When I run the tdbdump command, I don’t see the null characters, but then, I don’t see those characters on a Panther server that is also bound to the domain. That may or may not be relevant, though.

From looking at the password in the Active Directory prefences, I’m guessing that the different files encode the text differently, as they look nothing alike. I’m not slick enough to recognize if the password in the AD pref file has the null character there or not.

This sure is a pain! : )

Who at Apple mentioned the known bug with Intel 10.4.8 server? I called Apple today, but our support agreement doesn’t cover AD integration. That’s at least $699 (for one incident!). Yikes.

Good luck.

[Author]

Posts