[Samba] "credentials check wrong" only with Windows NT4 Clients

[Lars Scheiter]

Hi,

we tried to migrate an NT4 Domain to Samba3.0.4. We took the easy aproach and 
started to dump the NT PW Database with "pwdump" and the groups with 
"addusers" which were used to build the initial LDAP DB for the Samba Server. 
The SID was set and the Samba PDC was started as a replacement for the NT 
one.
Loggin on to the Domain with Windows 200x and XP machines works flawlessly so 
far, no need to rejoin the domain. But existing NT4 with  Servicepack 6 
Servers refuse to connect to the new Samba Domain. The following error 
message appears:
"The system cannot log you on to this domain because the system's computer 
account in its primary domain is missing or the password on that account is 
incorrect".

The error message Samba produces is as follows:
[2004/06/11 10:45:43, 4] libsmb/credentials.c:cred_session_key(59)
  cred_session_key
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_session_key(61)
        clnt_chal: 350AACEBF04D5235
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_session_key(62)
        srv_chal : 165865D394A09AA6
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_session_key(63)
        clnt+srv : 4B6211BF84EEECDB
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_session_key(64)
        sess_key : 2B91328B239AE687
[2004/06/11 10:45:43, 4] libsmb/credentials.c:cred_create(90)
  cred_create
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_create(92)
        sess_key : 2B91328B239AE687
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_create(93)
        stor_cred: 350AACEBF04D5235
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_create(94)
        timestamp: 0
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_create(95)
        timecred : 350AACEBF04D5235
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_create(96)
        calc_cred: B81E845AE6063ECA
[2004/06/11 10:45:43, 4] libsmb/credentials.c:cred_assert(121)
  cred_assert
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_assert(123)
        challenge : 7A15BB4592D4AAEB
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_assert(124)
        calculated: B81E845AE6063ECA
[2004/06/11 10:45:43, 5] libsmb/credentials.c:cred_assert(133)
  credentials check wrong
[2004/06/11 10:45:43, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 net_io_r_auth_2
[2004/06/11 10:45:43, 6] rpc_parse/parse_prs.c:prs_debug(82)
      000000 smb_io_chal
[2004/06/11 10:45:43, 5] rpc_parse/parse_prs.c:prs_uint8s(722)
          0000 data: 20 f6 ff bf a8 cb 38 08
[2004/06/11 10:45:43, 6] rpc_parse/parse_prs.c:prs_debug(82)
      000008 net_io_neg_flags
[2004/06/11 10:45:43, 5] rpc_parse/parse_prs.c:prs_uint32(635)
          0008 neg_flags: 400001ff
[2004/06/11 10:45:43, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
      000c status: NT_STATUS_ACCESS_DENIED

Well  the computers account is present in the Database, it was also dumped via 
"pwdump" and added to the LDAP DB. In fact with Win2K and higher everythings 
working. Since nobody else seems to have this particular Problem in 
conjunction with Windows NT4 (well google hastnt one in his Database), i try 
to ask the List.
To be precise everything else in this Domain seems to work, we got the right 
group information and every user can Login and has is own profile, well 
except if logged in from a windows NT4 workstation.
The only possible solution to this problem was to quit the machine from the 
Domain and rejoin it immediately (i.e. without a reboot), but for a rollout 
this is not practicable :(

If anybody needs further information i may send complete Logs and 
configurations.


Thanks in advance
Lars