[Samba] WinXP and Samba PDC Auth Problem

Aaron Smith aaron at pandora-net.com
Mon Dec 6 00:28:49 GMT 2004 

 	I have been running a Samba PDC with Samba version 3.0.0
on Redhat 7.3 for quite some time.  My WinXP Pro SP2 system is part
of the domain and everything has been working just peachy.  And then,
of course, I had to tinker with it.
 	I upgraded the linux box to Whitebox Linux 3.0, a derivative
of Redhat Enterprise Linux 3.0.  It comes with Samba 3.0.7.  After
installing and updating everything, I brought over the entire contects
of my /etc/samba directory and loaded a previously saved LDIF file for
my LDAP server (which samba authenticates to).  No changes were made in
any of these files and no changes were made on the WinXP box.  If I
do an "smbclient -L <linux-box-name>" it prompts me for a password, which
is accepted, and a list of shares is presented.  If I do the same thing
using the WinXp's name, I get:

session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

If I attempt to log in with a domain account on the XP box, I get a dialog 
box that says:
"Windows could not connect to the domain, either because the domain 
controller is down, of otherwise unavailable, or because your computer
account was not found."

I *AM* able to remove the XP machine from the domain and re-add it without
incident.  Or at least, I get the "Welcome to the PANDORANET Domain" 
message when adding it so I'm assuming the kali$ machine account is being 
properly found.

I suspect that this has something to do with the schannel settings.  Samba 
reports that all 4 settings are currently set to "Auto" which seems to be 
the ideal setting.  The first thing I tried was the registry change for 
signorseal to 0, but that had no affect.  Currently, under the Local 
Security settings, I have for what I believe are the pertinent settings:

Domain member: Digitally encrypt or sign secure channel data (always): 
Enabled

Domain member: Digitally encrypt secure channel data (when possible): 
Enabled

Domain member: Digitally sign secure channel data (when possible): Enabled

Microsoft Network Client:  Digitally sign communications (always): 
Disabled

Microsoft Network Client:  Digitally sign communications (if server 
agrees): Enabled

Microsoft Network Server: Digitally sign communications (always): Disabled
Microsoft Network Server: Digitally sign communications (if server 
agrees): Enabled


Anyone have any ideas?  I've been tearing my hair out over this all 
weekend!

-----------------------------------------------------------------
Aaron Smith             		vox: 269.226.9550 ext.26
Network Director        		fax: 269.349.9076 
Nexcerpt, Inc.          		http://www.nexcerpt.com

 	...Nexcerpt... Extend Your Expertise

More information about the samba mailing list