Hi all, Earlier I emailed the list on some issues I was having with Windows 7, and one of those issues was the trust relationship breaking down after one month. I think I have some more light to shed on this topic.
First, some environmental facts I am running Ubuntu Karmic 9.10 with Samba 3.4.0-3ubuntu5.1 I have installed the latest LDAP schema into OpenLDAP 2.4.18-0ubuntu1 I have a working LDAP directory with users and machine trust accounts. This is continuing to work flawlessly with XP clients. I have applied the two registry hacks into my Windows 7 workstations to enable legacy domains, and to turn off the dns resolution requirement. When I join the domain, everything happens as advertised, and I do get the error message from Windows 7 about DNS that I read on wiki.samba.org can be safely ignored. Immediately after joining the domain, and after the mandatory reboot, I can log in as advertised. However, after a period of time (not sure how long), the Windows 7 clients start using their cached credentials, and no longer communicate properly with the Samba PDC. After a period of about 1 month, the clients no longer use their cached credentials, as they probably expire, and then I can no longer log in, with the message that "The trust relationship between this workstation and the primary domain failed." After some digging, I noticed that the problem in the machines log file was that the machine trust account could not be found. [2009/12/07 19:33:13, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []...@[ac-1391] with the new password interface [2009/12/07 19:33:13, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [domain]...@[ac-1391] [2009/12/07 19:33:13, 3] auth/auth.c:271(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2009/12/07 19:33:13, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:33:13, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-1391 machine account AC-1391$ [2009/12/07 19:33:13, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:33:13, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-1391 machine account AC-1391$ [2009/12/07 19:33:26, 0] lib/util_sock.c:537(read_socket_with_timeout) [2009/12/07 19:33:26, 0] lib/util_sock.c:1468(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer. The interesting line there is "Failed to find Unix account for ac-1391$". This implies that the account is missing, but when I look at the LDAP directory with my browser, it is there. Now it gets interesting... At the time I am trying to log in, I get the following in /var/log/syslog Dec 7 19:46:27 server slapd[2514]: conn=184 op=2 do_search: invalid dn (sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local) Invalid dn indeed. sambaDomainName=DOMAIN,dc=domain,dc=local exists, but sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local does not. Does anyone know why Samba would be performing this as a lookup? I have seen other people with these symptoms, but I have not been able to find an answer. aF -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
