[thibbs]

Thanks, you two. I’ll get my IT guy involved and see if we can’t figure that out (he’s off until Tuesday next week). I’ll post back then.

Cheers!

[thibbs]

OK, here’s a question. I have my 10.4.7 Xserve connected through Active Directory as a Domain Member. We only use kerberos & NTLMv2 to authenticate (We actually just use kerberos, but the option in the Windows section of Server Admin says "NTLMv2 & Kerberos"). However, MANY times I have Windows users try to connect to the Xserve and it asks them for their username/password. The second that happens I know the connection has failed. Most of the time they can get on with NO interaction required. Once they get that message though, the only solution is to have them log off and log back on. Then it will work. They go to their short-cut which our IT group has set up, click on the drive and have access to what they need.

When I go and check the Windows log in Server Admin, I see this repeatedly:

When there’s an error:

[2006/08/01 18:29:16, 2] auth_ods.c:opendirectory_opendirectory_ntlm_password_check(553)
opendirectory_ntlm_password_check: NTLMv1 passwords NOT PERMITTED for user psmith
[2006/08/01 18:29:16, 2] /SourceCache/samba/samba-92.19/samba/source/auth/auth.c:check_ntlm_password(367)
check_ntlm_password: Authentication for user [psmith] -> [psmith] FAILED with error NT_STATUS_WRONG_PASSWORD

When it succeeds:
[2006/08/01 18:43:34, 2] /SourceCache/samba/samba-92.19/samba/source/lib/module.c:do_smb_load_module(63)
Module ‘/usr/lib/samba/vfs/darwin_acls.so’ loaded
[2006/08/01 18:43:34, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/service.c:make_connection_snum(648)
172.16.4.123 (172.16.4.123) connect to service 02 Literature initially as user psmith (uid=1093395257, gid=1233023604) (pid 15183)
[2006/08/01 18:43:34, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(261)
Username AD.OURCOMPANY.COM\NO-PSMITH-DT$ is invalid on this system
[2006/08/01 18:43:34, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(265)
Lookup trust account via passdb (AD.OURCOMPANY.COM\NO-PSMITH-DT$)
[2006/08/01 18:43:34, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(271)
trust account found via passdb fullname(NO-PSMITH-DT)
[2006/08/01 18:43:34, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(333)
reply_spnego_kerberos: check_sacl(AD.OURCOMPANY.COM\NO-PSMITH-DT$, smb) failed
[2006/08/01 18:43:34, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/service.c:make_connection_snum(648)
172.16.4.123 (172.16.4.123) connect to service 03 Photography initially as user psmith (uid=1093395257, gid=1233023604) (pid 15183)
[2006/08/01 18:43:35, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(261)
Username AD.OURCOMPANY.COM\NO-PSMITH-DT$ is invalid on this system
[2006/08/01 18:43:35, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(265)
Lookup trust account via passdb (AD.OURCOMPANY.COM\NO-PSMITH-DT$)
[2006/08/01 18:43:35, 1] /SourceCache/samba/samba-92.19/samba/source/smbd/sesssetup.c:reply_spnego_kerberos(271)
trust account found via passdb fullname(NO-PSMITH-DT)

Okay, so here’s my question: Why does the Xserve think it is being sent NTLMv1 passwords? And why, when it DOES work does the windows machine trying to connect send its machine name (no-psmith-dt$ or the longer variant)? Is this our windows peeps problem? Or have I misconfigured something?

Thoughts? Head scratch? Land in Montana?
A very irritated graphic designer posing as a mac server admin.

[Author]

Posts