Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Domain Client Login Problem

Options
  • 09-08-2004 7:37pm
    #1
    Stky10
    Registered Users Posts: 1,165 ✭✭✭


    I have a small domain setup with maybe 10-15 clients.
    One of the clients that was working fine is now giving
    problems.

    Only the domain administrator can login to the machine.
    No other user, no matter if they have admin privileges
    is allowed. I've been running ethereal on the domain
    controller and I've noticed the following

    (p.s. doubt if this matters, but the client is WinXP, and
    the controller is Win2000 Server)

    (1) The client keeps sending "SAM LOGON request from
    client" packets to the controller, but the User name
    supplied in the packet is blank. The controller then
    sends a "SAM Active Directory Response - user unknown"
    packets to the client

    (2) When a user trys to login, the client sends a
    KRB5 "AS-REQ" packet to the controller, with a
    client name of the user trying to login, type principal,
    name of the user logging in, and realm of the domain
    name. The Server Name is krbtgt (rather than the
    name of the domain controller), and type is "Service
    and Instance"

    The controller then responds with a "AS-REP" packet,
    to which the client responds with a "TGS-REQ" packet,
    with Realm of the domain name, Server Name "host",
    Type "Service and Host", then Name "host" and then
    Name "pc3".

    The controller then responds with a "KRB-ERROR"
    packet, with error code "KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN"
    and the realm of the domain name.

    So....I'm wondering is there some sort of virus/worm on
    the machine thats sending out the SAM logon request
    packets, and is the problem with logon that its attempting
    to logon using the Server Name "host" rather than the
    name of the domain controller???

    I'm kind of lost here....I'm a UNIX admin rather than a
    Windows admin so any help would be gratefully received...


Comments

  • Options
    #2
    Hankster
    Closed Accounts Posts: 36 Hankster


    Stky10 wrote:
    (1) The client keeps sending "SAM LOGON request from
    client" packets to the controller, but the User name
    supplied in the packet is blank. The controller then
    sends a "SAM Active Directory Response - user unknown"
    packets to the client
    Doing a quick search on the Microsoft support website, brought up this.
    This article describes incompatibilities that may occur on client computers that are running Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows NT 4.0, Microsoft Windows 2000, Microsoft Windows XP Professional, or Microsoft Windows Server 2003 when you modify specific security settings and user rights assignments in Windows NT 4.0 domains, in Windows 2000 domains, and in Windows Server 2003 domains. By configuring these settings and assignments in local policies and in group policies, you can help tighten the security on domain controllers and on member computers. The downside of increased security is the introduction of incompatibilities with clients, with services, and with programs.
    Doesn't exactly make for light reading, but could be of use to you, but may also not be...


  • Options
    #3
    Stky10
    Registered Users Posts: 1,165 ✭✭✭Stky10


    Could possibly be I suppose, but why did the same client
    work for the past year, and all of a sudden not work??.

    I dont know, I think I'll make sure they're both got all
    available patches installed and try again....


  • Options
    #4
    Hankster
    Closed Accounts Posts: 36 Hankster


    Is it possible that one of the users who logged on had/has admin rights and was able to mess around with the security settings on that one PC? That would explain why it worked one minute and not the next. Especially if they didn't know what they were doing.

    I'd check that out before patching all of your PCs (although, you should of course still do this). There are all sorts of funky groups in Windows 2000 that have different levels of rights and it could be that one of the users has inadvertently been placed in one of these.


  • Options
    #5
    RicardoSmith
    Closed Accounts Posts: 8,264 ✭✭✭RicardoSmith


    I've had problems with user accounts becoming corrupt in the past, and had to delete them and recreate them.


  • Options
    #6
    Stky10
    Registered Users Posts: 1,165 ✭✭✭Stky10


    Sorry bout not getting back bout this but have been really
    really busy....

    Tried a few things but none of them worked. Eventually
    removed the machine from the domain, placed it in a workgroup,
    the machine rebooted, removed it from the workgroup,
    and restored it to the domain, the machine rebooted again,
    and then all was well again. I still havent a notion what
    was wrong.....but I'm happy that some of these typically
    microsoft solutions usually end up being the ones that
    work.


  • Advertisement
Advertisement