[Samba] security = domain and Mac OS X

Michael Bartosh mbartosh at mac.com
Mon Jan 6 01:05:01 GMT 2003

I've set up Samba on Mac OS X to do pass through authentication to 
the nt domain in AD several times now. No big deal, it usually just 

Now, however, it doesn't appear to be working. Note the relevant part 
of the transaction below (loglevel 4).

Steps to replicate:

	a) Add pre-Win2K account with AD Users and computers
	b) sudo smbpasswd -j EXAMPLE -r WINSERVER -U Administrator%passwd
		(happens successfully)
	c) in smb.conf:
		security = domain
		password server = WINSERVER

nmblookup works for WINSERVER.

[xserve:~] zinch% smbd -V
Version 2.2.3a
[xserve:~] zinch% sw_vers
ProductName:    Mac OS X Server
ProductVersion: 10.2.3
BuildVersion:   6G30

transaction in log:

[2003/01/05 16:49:38, 3] 
   Connecting to at port 445
[2003/01/05 16:49:38, 4] 
   cli_net_req_chal: LSA Request Challenge from WINSERVER to XSERVE: 
[2003/01/05 16:49:38, 4] 
[2003/01/05 16:49:38, 4] 
[2003/01/05 16:49:38, 4] 
   cli_net_auth2: srv:\\WINSERVER acct:XSERVE$ sc:2 mc: XSERVE chal 
B58AF439B186C221 neg: 1ff
[2003/01/05 16:49:38, 0] 
   cli_net_auth2: Error NT_STATUS_ACCESS_DENIED
[2003/01/05 16:49:38, 0] 
   cli_nt_setup_creds: auth2 challenge failed
[2003/01/05 16:49:38, 0] 
   connect_to_domain_password_server: unable to setup the PDC 
credentials to machine WINSERVER. Error was : NT_STATUS_OK.
[2003/01/05 16:49:38, 0] 
   domain_client_validate: Domain password server not available.

nmblookup (snipped)
[xserve:~] root# nmblookup -d4 WINSERVER
querying WINSERVER on
nmb packet from header: id=7983 opcode=Query(0) response=Yes
     header: flags: bcast=No rec_avail=No rec_des=Yes trunc=No auth=Yes
     header: rcode=0 qdcount=0 ancount=1 nscount=0 arcount=0
     answers: nmb_name=WINSERVER<00> rr_type=32 rr_class=1 ttl=300000
     answers   0 char `.....   hex 6000C0A80102
Got a positive name query response from ( ) WINSERVER<00>

I've done it this way (as far as I remember) 5-6 times- in addition 
to sending these directions to several folks who reported back 
success. Not sure what's different here.
Mac OS X Consulting and Training
Michael Bartosh
mbartosh at 4am-media.com
Denver, CO

"The surest way to corrupt a youth is to instruct him to hold in higher
regard those who think alike than those who think differently."

- -- Nietzsche

			Think Different.

More information about the samba mailing list