Make sure that this settings are as follows: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters] “RequireSignOrSeal”=dword:00000001 “RequireStrongKey”=dword:00000001
It helped solve a problem like the one you're having. On Thursday 14 January 2010 09:27:08 Richard Basch wrote: > I have been going through all the Wikis and various Google searches to try > to solve my problem, all to no avail. > > I can mount a Samba share, but whenever I try to login using a domain > account, I receive an error about "The trust relationship between this > workstation and the primary domain failed." > > What I have done so far, all to no avail. > - Upgraded from Samba 3.4.2 to Samba 3.4.4 (under OpenSUSE 11.2) > - Edited the registry settings on my Windows 7 client > HKLM\System\CCS\Services\LanmanWorkstation\Parameters > DWORD DomainCompatibilityMode = 1 > DWORD DNSNameResolutionRequired = 0 > (I also tried reducing the security requirements for signing & encryption, > but have read this is not required with current versions of Samba.) > > (And, I am running Windows 7 Professional on my client.) > > "testparm -v" indicates my smb.conf is valid, and I am able to mount > shares, which is a positive indication the OpenLDAP integration is > working. I am running OpenLDAP 2.4.15 or higher on all my LDAP servers (I > think they are all 2.4.19 - 2.4.21). > > DNS is static, with none of the normal ADS entries. Only the DHCP server > is allowed to modify DNS (and only the forward map allows updates, since > DHCP updates of the reverse in-addr.arpa maps were problematic). To > assist with finding the domain controller, I added the following to > C:\Windows\System32\Drivers\etc\lmhosts: > 192.168.15.2 tardis #PRE #DOM:N2HA > (Thus my attempts to join the domain appear successful, with the documented > warnings about the domain suffix. Unfortunately, appearances are deceiving > when I actually try to login using a domain account.) > > Attached are entries from my smbd.log and C:\Windows\debug\NetSetup.log and > smb.conf. > > Any assistance or guidance would be greatly appreciated. > > log.smbd > ======== > [2010/01/14 03:31:38, 0] > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client BAST machine account BAST$ > [2010/01/14 03:31:38, 0] > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client BAST machine account BAST$ > [2010/01/14 03:31:48, 0] lib/util_sock.c:539(read_fd_with_timeout) > [2010/01/14 03:31:48, 0] lib/util_sock.c:1491(get_peer_addr_internal) > getpeername failed. Error was Transport endpoint is not connected > read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by > peer. > [2010/01/14 03:33:17, 0] > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client BAST machine account BAST$ > [2010/01/14 03:33:17, 0] > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client BAST machine account BAST$ > [2010/01/14 03:33:30, 0] lib/util_sock.c:539(read_fd_with_timeout) > [2010/01/14 03:33:30, 0] lib/util_sock.c:1491(get_peer_addr_internal) > getpeername failed. Error was Transport endpoint is not connected > read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by > peer. > [2010/01/14 03:34:18, 0] lib/util_sock.c:539(read_fd_with_timeout) > [2010/01/14 03:34:18, 0] lib/util_sock.c:1491(get_peer_addr_internal) > getpeername failed. Error was Transport endpoint is not connected > read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by > peer. > > > C:\Windows\debug\NetSetup.log > ============================= > 01/13/2010 23:36:18:337 NetpJoinDomain: status of connecting to dc > '\\TARDIS': 0x0 > 01/13/2010 23:36:18:337 NetpProvisionComputerAccount: > 01/13/2010 23:36:18:337 lpDomain: N2HA > 01/13/2010 23:36:18:337 lpMachineName: BAST > 01/13/2010 23:36:18:337 lpMachineAccountOU: (NULL) > 01/13/2010 23:36:18:337 lpDcName: TARDIS > 01/13/2010 23:36:18:337 lpDnsHostName: (NULL) > 01/13/2010 23:36:18:337 lpMachinePassword: (null) > 01/13/2010 23:36:18:337 lpAccount: N2HA\ntadmin > 01/13/2010 23:36:18:337 lpPassword: (non-null) > 01/13/2010 23:36:18:337 dwJoinOptions: 0x25 > 01/13/2010 23:36:18:337 dwOptions: 0x40000003 > 01/13/2010 23:36:18:352 NetpLdapBind: ldap_bind failed on TARDIS: 49: > Invalid Credentials > 01/13/2010 23:36:18:426 NetpGetLsaPrimaryDomain: DNS Domain policy not > supported, falling back to Primary Domain > 01/13/2010 23:36:18:430 NetpGetLsaPrimaryDomain: status: 0x0 > 01/13/2010 23:36:18:432 NetpCreateComputerObjectInDs: DC passed '\\TARDIS' > doesn't have writable DS 0x101 > 01/13/2010 23:36:18:432 NetpProvisionComputerAccount: LDAP creation failed: > 0x32 > 01/13/2010 23:36:18:432 NetpJoinDomainOnDs: Function exits with status of: > 0x32 > 01/13/2010 23:36:18:434 NetpJoinDomainOnDs: status of disconnecting from > '\\TARDIS': 0x0 > 01/13/2010 23:36:18:434 NetpDoDomainJoin: status: 0x32 > 01/13/2010 23:36:18:450 > ----------------------------------------------------------------- > 01/13/2010 23:36:18:450 NetpDoDomainJoin > 01/13/2010 23:36:18:450 NetpMachineValidToJoin: 'BAST' > 01/13/2010 23:36:18:450 OS Version: 6.1 > 01/13/2010 23:36:18:450 Build number: 7600 > (7600.win7_rtm.090713-1255) > 01/13/2010 23:36:18:451 SKU: Windows 7 Professional > 01/13/2010 23:36:18:451 NetpDomainJoinLicensingCheck: ulLicenseValue=1, > Status: 0x0 > 01/13/2010 23:36:18:452 NetpGetLsaPrimaryDomain: status: 0x0 > 01/13/2010 23:36:18:453 NetpMachineValidToJoin: status: 0x0 > 01/13/2010 23:36:18:453 NetpJoinDomain > 01/13/2010 23:36:18:453 Machine: BAST > 01/13/2010 23:36:18:453 Domain: N2HA > 01/13/2010 23:36:18:453 MachineAccountOU: (NULL) > 01/13/2010 23:36:18:453 Account: N2HA\ntadmin > 01/13/2010 23:36:18:453 Options: 0x27 > 01/13/2010 23:36:18:453 NetpLoadParameters: loading registry parameters... > 01/13/2010 23:36:18:453 NetpLoadParameters: status: > DNSNameResolutionRequired set to '0' > 01/13/2010 23:36:18:453 NetpLoadParameters: status: DomainCompatibilityMode > set to '1' > 01/13/2010 23:36:18:453 NetpLoadParameters: status: 0x0 > 01/13/2010 23:36:18:453 NetpValidateName: checking to see if 'N2HA' is > valid as type 3 name > 01/13/2010 23:36:18:554 NetpCheckDomainNameIsValid [ Exists ] for 'N2HA' > returned 0x0 > 01/13/2010 23:36:18:554 NetpValidateName: name 'N2HA' is valid for type 3 > 01/13/2010 23:36:18:554 NetpDsGetDcName: trying to find DC in domain > 'N2HA', flags: 0x1020 > 01/13/2010 23:36:18:755 NetpLoadParameters: loading registry parameters... > 01/13/2010 23:36:18:755 NetpLoadParameters: status: > DNSNameResolutionRequired set to '0' > 01/13/2010 23:36:18:755 NetpLoadParameters: status: DomainCompatibilityMode > set to '1' > 01/13/2010 23:36:18:755 NetpLoadParameters: status: 0x0 > 01/13/2010 23:36:18:755 NetpDsGetDcName: found DC '\\TARDIS' in the > specified domain > 01/13/2010 23:36:18:755 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0 > 01/13/2010 23:36:18:756 NetpJoinDomain: status of connecting to dc > '\\TARDIS': 0x0 > 01/13/2010 23:36:18:756 NetpProvisionComputerAccount: > 01/13/2010 23:36:18:756 lpDomain: N2HA > 01/13/2010 23:36:18:756 lpMachineName: BAST > 01/13/2010 23:36:18:756 lpMachineAccountOU: (NULL) > 01/13/2010 23:36:18:756 lpDcName: TARDIS > 01/13/2010 23:36:18:756 lpDnsHostName: (NULL) > 01/13/2010 23:36:18:756 lpMachinePassword: (null) > 01/13/2010 23:36:18:756 lpAccount: N2HA\ntadmin > 01/13/2010 23:36:18:756 lpPassword: (non-null) > 01/13/2010 23:36:18:756 dwJoinOptions: 0x27 > 01/13/2010 23:36:18:756 dwOptions: 0x40000003 > 01/13/2010 23:36:18:764 NetpLdapBind: ldap_bind failed on TARDIS: 49: > Invalid Credentials > 01/13/2010 23:36:18:773 NetpGetLsaPrimaryDomain: DNS Domain policy not > supported, falling back to Primary Domain > 01/13/2010 23:36:18:776 NetpGetLsaPrimaryDomain: status: 0x0 > 01/13/2010 23:36:18:779 NetpCreateComputerObjectInDs: DC passed '\\TARDIS' > doesn't have writable DS 0x101 > 01/13/2010 23:36:18:779 NetpProvisionComputerAccount: LDAP creation failed: > 0x32 > 01/13/2010 23:36:18:779 NetpProvisionComputerAccount: Retrying downlevel > per options > 01/13/2010 23:36:18:881 NetpManageMachineAccountWithSid: NetUserAdd on > 'TARDIS' for 'BAST$' failed: 0x8b0 > 01/13/2010 23:36:19:287 NetpManageMachineAccountWithSid: status of > attempting to set password on 'TARDIS' for 'BAST$': 0x0 > 01/13/2010 23:36:19:287 NetpProvisionComputerAccount: retry status of > creating account: 0x0 > 01/13/2010 23:36:19:287 NetpEncodeProvisioningBlob: Encoding provisioning > data > 01/13/2010 23:36:19:287 NetpInitBlobWin7: Constructing blob... > 01/13/2010 23:36:19:287 Blob version: 1 > > smb.conf > ======== > [global] > workgroup = N2HA > realm = INTERNAL.BRIGHT-PROSPECTS.COM > security = user > map to guest = Bad User > usershare allow guests = Yes > > server string = %h (Samba %v) > hosts allow = 192.168.0.0/16 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > smb ports = 445 139 > ;os level = 65 > local master = yes > domain master = yes > preferred master = yes > domain logons = yes > winbind use default domain = yes > > printing = cups > printcap name = cups > printcap cache time = 750 > cups options = raw > > name resolve order = wins lmhosts bcast > wins support = yes > dns proxy = no > ea support = yes > enable asu support = yes > time server = yes > deadtime = 10 > max log size = 4096 > hide unreadable = yes > hide dot files = no > template shell = /bin/false > veto oplock files = /*.pst/*.nsf/*.doc/*.xls/*.mdb/ > > client lanman auth = no > client ntlmv2 auth = yes > client plaintext auth = no > encrypt passwords = yes > lanman auth = no > ntlm auth = yes > null passwords = yes > server signing = auto > server schannel = auto > > passdb backend = > ldapsam:ldaps://ldap.internal.bright-prospects.com/ obey pam restrictions > = no > ldap ssl = no > ldap admin dn = > "uid=ntadmin,ou=System,ou=User,dc=bright-prospects,dc=co > m" > ldap suffix = dc=bright-prospects,dc=com > ldap machine suffix = sambaDomainName=N2HA,ou=Network > ldap user suffix = ou=People,ou=User > ldap group suffix = ou=Group > ldap idmap suffix = ou=IdMap,ou=Network > ldap passwd sync = yes > ldap delete dn = no > > add user script = /home/admin/bin/smbldap-useradd -m %u > delete user script = /home/admin/bin/smbldap-userdel %u > add machine script = /home/admin/bin/smbldap-useradd -w %u > add group script = /home/admin/bin/smbldap-groupadd -p %g > #delete group script = /home/admin/bin/smbldap-groupdel %g > add user to group script = /home/admin/bin/smbldap-groupmod -m %u > %g delete user from group script = /home/admin/bin/smbldap-groupmod -x %u > % > g > set primary group script = /home/admin/bin/smbldap-usermod -g %g %u > passwd program = /home/admin/bin/smbldap-passwd %u > > vfs objects = extd_audit recycle > recycle: directory_mode = 0770 > recycle: keeptree = 1 > recycle: touch = 1 > recycle: minsize = 1 > recycle: maxsize = 5000000 > recycle: exclude = *.tmp *.temp ~$* *.obj *.~?? > recycle: exclude_dir = /RealTimeBackup > ;vscan-clamav: config-file = /etc/samba/vscan-clamav.conf > > [homes] > comment = Home Directories > ;valid users = %S, %D%w%S > browseable = No > read only = No > inherit acls = Yes > ; > locking = no > hide files = /.*/desktop.ini/thumbs.db/*.bitmap/NTUSER.*/ > hide special files = yes > path = /home/%S > [profiles] > comment = Network Profiles Service > ;path = %H > read only = No > store dos attributes = Yes > create mask = 0600 > directory mask = 0700 > ; > hide files = /desktop.ini/thumbs.db/*.bitmap/ > guest ok = yes > path = /home/profiles > [users] > comment = All users > path = /home > read only = No > inherit acls = Yes > veto files = /aquota.user/groups/shares/ > [groups] > comment = All groups > path = /home/groups > read only = No > inherit acls = Yes > [printers] > comment = All Printers > path = /var/tmp > printable = Yes > create mask = 0600 > browseable = No > [print$] > comment = Printer Drivers > path = /var/lib/samba/drivers > write list = @ntadmin root > force group = ntadmin > create mask = 0664 > directory mask = 0775 > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
