Hello all, I guess that everyone knows the message "the trust relation between this workstation and the primary domain failed" when joining Win7 into samba domain. Unfortunately, the same problem appeared few hours/days after the machine was successfully joined in the domain(with reg keys from https://wiki.samba.org/index.php/Windows7) and user able to use it for awhile. Then at random intervals, when the user tries to login again, he sees the "trust" message and has to type his password 3-5 or more times before successful login.
The setup includes PDC and BDC, both running on RHEL (5.5 and 5.6)64bit with samba 3.5.4-0.70.el5_6.1 + LDAP(fedora-ds) for user and computer authentication.20xWin 7 machines and 500xWinXP(xp has no problems). I've read about similar symptoms when Win7 tries to change its machine password on every 30 days. Therefore some additional regs were added: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters] "DisablePasswordChange"=dword:00000001 "MaximumPasswordAge"=dword:1000000 and this didn't help. I've compared the machine password values on both LDAP servers - they are same and synchronization is working fine. In the wild, some people report that this issue is fixed when the "lmcompatibilitylevel" is limited to LM and NTLM authentication(NTLMv2 if negotiated), but this couldn't help too. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "lmcompatibilitylevel"=dword:00000001 As I understood from `man 5 smb.conf`, the default Samba behaviour when nothing is specified for "client ntlmv2 auth", "client plaintext auth", "lanman auth", "client lanman auth" and "ntlm auth", is to enable only NTLMv1. Is that correct, because all Win7s can authenticate even with NTLMv2 enabled only ?!(it is not password cache ... i tried with new username which was never used on the workstation before). My log options in smb.conf are: log level = 0 auth:10 lanman:10 Here is the log when the user is experiencing the issue: [2011/06/30 14:31:17.726884, 5] auth/auth_util.c:211(make_user_info_map) Mapping user []\[] from workstation [TESTMACHINE] [2011/06/30 14:31:17.726952, 5] auth/auth_util.c:232(make_user_info_map) Mapped domain from [] to [DOMAIN] for user [] from workstation [TESTMACHINE] [2011/06/30 14:31:17.726978, 5] auth/auth_util.c:122(make_user_info) attempting to make a user_info for () [2011/06/30 14:31:17.727000, 5] auth/auth_util.c:132(make_user_info) making strings for 's user_info struct [2011/06/30 14:31:17.727021, 5] auth/auth_util.c:164(make_user_info) making blobs for 's user_info struct [2011/06/30 14:31:17.727042, 10] auth/auth_util.c:182(make_user_info) made an encrypted user_info for () [2011/06/30 14:31:17.727065, 3] auth/auth.c:216(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []\[]@[TESTMACHINE] with the new password interface [2011/06/30 14:31:17.727090, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: mapped user is: [DOMAIN]\[]@[TESTMACHINE] [2011/06/30 14:31:17.727111, 10] auth/auth.c:228(check_ntlm_password) check_ntlm_password: auth_context challenge created by random [2011/06/30 14:31:17.727132, 10] auth/auth.c:230(check_ntlm_password) challenge is: [2011/06/30 14:31:17.767852, 3] auth/auth.c:265(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2011/06/30 14:31:17.767920, 5] auth/auth.c:304(check_ntlm_password) check_ntlm_password: guest authentication for user [] -> [] -> [nobody] succeeded [2011/06/30 14:31:17.767943, 5] auth/auth_util.c:2119(free_user_info) attempting to free (and zero) a user_info structure [2011/06/30 14:31:17.767965, 10] auth/auth_util.c:2123(free_user_info) structure was created for [2011/06/30 14:31:17.772407, 10] auth/auth_util.c:753(create_local_token) Could not convert SID S-1-1-0 to gid, ignoring it [2011/06/30 14:31:17.773632, 10] auth/auth_util.c:753(create_local_token) Could not convert SID S-1-5-2 to gid, ignoring it [2011/06/30 14:31:17.774822, 10] auth/auth_util.c:753(create_local_token) Could not convert SID S-1-5-32-546 to gid, ignoring it [2011/06/30 14:31:17.774906, 10] auth/token_util.c:531(debug_nt_user_token) NT user token of user S-1-5-21-3341649654-3636416974-85384702-501 contains 5 SIDs SID[ 0]: S-1-5-21-3341649654-3636416974-85384702-501 SID[ 1]: S-1-1-0 SID[ 2]: S-1-5-2 SID[ 3]: S-1-5-32-546 SID[ 4]: S-1-22-1-99 SE_PRIV 0x0 0x0 0x0 0x0 [2011/06/30 14:31:17.774996, 10] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 99 Primary group is 99 and contains 0 supplementary groups [2011/06/30 14:31:17.785859, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client TESTMACHINE machine account TESTMACHINE$ [2011/06/30 14:31:25.321099, 5] auth/auth.c:481(make_auth_context_subsystem) Making default auth method list for DC, security=user, encrypt passwords = yes After a few tries we successfully login: [2011/06/30 14:31:25.322605, 10] auth/auth_util.c:182(make_user_info) made an encrypted user_info for TESTMACHINE$ (TESTMACHINE$) [2011/06/30 14:31:25.322626, 3] auth/auth.c:216(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [DOMAIN]\[TESTMACHINE$]@[TESTMACHINE] with the new password interface [2011/06/30 14:31:25.322651, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: mapped user is: [DOMAIN]\[TESTMACHINE$]@[TESTMACHINE] [2011/06/30 14:31:25.322672, 10] auth/auth.c:228(check_ntlm_password) check_ntlm_password: auth_context challenge created by NTLMSSP callback (NTLM2) [2011/06/30 14:31:25.322693, 10] auth/auth.c:230(check_ntlm_password) challenge is: [2011/06/30 14:31:25.322717, 10] auth/auth.c:256(check_ntlm_password) check_ntlm_password: guest had nothing to say [2011/06/30 14:31:25.327291, 4] auth/auth_sam.c:180(sam_account_ok) sam_account_ok: Checking SMB password for user TESTMACHINE$ [2011/06/30 14:31:25.327439, 5] auth/auth_sam.c:162(logon_hours_ok) logon_hours_ok: user TESTMACHINE$ allowed to logon at this time (Thu Jun 30 11:31:25 2011 ) [2011/06/30 14:31:25.382399, 5] auth/auth_util.c:649(make_server_info_sam) make_server_info_sam: made server info for user TESTMACHINE$ -> TESTMACHINE$ [2011/06/30 14:31:25.382496, 3] auth/auth.c:265(check_ntlm_password) check_ntlm_password: sam authentication for user [TESTMACHINE$] succeeded [2011/06/30 14:31:25.382541, 5] auth/auth.c:291(check_ntlm_password) check_ntlm_password: PAM Account for user [TESTMACHINE$] succeeded [2011/06/30 14:31:25.382572, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [TESTMACHINE$] -> [TESTMACHINE$] -> [TESTMACHINE$] succeeded [2011/06/30 14:31:25.382643, 5] auth/auth_util.c:2119(free_user_info) attempting to free (and zero) a user_info structure [2011/06/30 14:31:25.382665, 10] auth/auth_util.c:2123(free_user_info) structure was created for TESTMACHINE$ [2011/06/30 14:31:25.386736, 10] auth/auth_util.c:753(create_local_token) Could not convert SID S-1-1-0 to gid, ignoring it [2011/06/30 14:31:25.387737, 10] auth/auth_util.c:753(create_local_token) Could not convert SID S-1-5-2 to gid, ignoring it [2011/06/30 14:31:25.388766, 10] auth/auth_util.c:753(create_local_token) Could not convert SID S-1-5-11 to gid, ignoring it [2011/06/30 14:31:25.388853, 10] auth/token_util.c:531(debug_nt_user_token) NT user token of user S-1-5-21-3341649654-3636416974-85384702-67110721 contains 7 SIDs SID[ 0]: S-1-5-21-3341649654-3636416974-85384702-67110721 SID[ 1]: S-1-5-21-3341649654-3636416974-85384702-515 SID[ 2]: S-1-1-0 SID[ 3]: S-1-5-2 SID[ 4]: S-1-5-11 SID[ 5]: S-1-22-1-7016 SID[ 6]: S-1-22-2-515 SE_PRIV 0x0 0x0 0x0 0x0 [2011/06/30 14:31:25.388963, 10] auth/token_util.c:551(debug_unix_user_token) UNIX token of user 7016 Primary group is 515 and contains 1 supplementary groups Group[ 0]: 515 [2011/06/30 14:31:25.428362, 5] auth/auth.c:481(make_auth_context_subsystem) Making default auth method list for DC, security=user, encrypt passwords = yes [2011/06/30 14:31:25.428435, 5] auth/auth.c:383(load_auth_module) load_auth_module: Attempting to find an auth method to match guest [2011/06/30 14:31:25.428461, 5] auth/auth.c:408(load_auth_module) load_auth_module: auth method guest has a valid init [2011/06/30 14:31:25.428484, 5] auth/auth.c:383(load_auth_module) load_auth_module: Attempting to find an auth method to match sam [2011/06/30 14:31:25.428506, 5] auth/auth.c:408(load_auth_module) load_auth_module: auth method sam has a valid init [2011/06/30 14:31:25.428527, 5] auth/auth.c:383(load_auth_module) load_auth_module: Attempting to find an auth method to match winbind:trustdomain [2011/06/30 14:31:25.428549, 5] auth/auth.c:383(load_auth_module) load_auth_module: Attempting to find an auth method to match trustdomain [2011/06/30 14:31:25.428581, 5] auth/auth.c:408(load_auth_module) load_auth_module: auth method trustdomain has a valid init [2011/06/30 14:31:25.428602, 5] auth/auth.c:408(load_auth_module) load_auth_module: auth method winbind has a valid init [2011/06/30 14:31:25.428624, 5] auth/auth.c:97(get_ntlm_challenge) auth_get_challenge: module guest did not want to specify a challenge [2011/06/30 14:31:25.428645, 5] auth/auth.c:97(get_ntlm_challenge) auth_get_challenge: module sam did not want to specify a challenge [2011/06/30 14:31:25.428666, 5] auth/auth.c:97(get_ntlm_challenge) auth_get_challenge: module winbind did not want to specify a challenge [2011/06/30 14:31:25.428694, 5] auth/auth.c:132(get_ntlm_challenge) auth_context challenge created by random [2011/06/30 14:31:25.428717, 5] auth/auth.c:133(get_ntlm_challenge) challenge is: [2011/06/30 14:31:25.429072, 5] auth/auth_util.c:211(make_user_info_map) Mapping user [DOMAIN]\[dichev] from workstation [TESTMACHINE] [2011/06/30 14:31:25.429097, 5] auth/auth_util.c:122(make_user_info) attempting to make a user_info for dichev (dichev) [2011/06/30 14:31:25.429119, 5] auth/auth_util.c:132(make_user_info) making strings for dichev's user_info struct [2011/06/30 14:31:25.429141, 5] auth/auth_util.c:164(make_user_info) making blobs for dichev's user_info struct [2011/06/30 14:31:25.429162, 10] auth/auth_util.c:182(make_user_info) made an encrypted user_info for dichev (dichev) [2011/06/30 14:31:25.429184, 3] auth/auth.c:216(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [DOMAIN]\[dichev]@[TESTMACHINE] with the new password interface [2011/06/30 14:31:25.429209, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: mapped user is: [DOMAIN]\[dichev]@[TESTMACHINE] [2011/06/30 14:31:25.429265, 10] auth/auth.c:228(check_ntlm_password) check_ntlm_password: auth_context challenge created by random [2011/06/30 14:31:25.429287, 10] auth/auth.c:230(check_ntlm_password) challenge is: [2011/06/30 14:31:25.429314, 10] auth/auth.c:256(check_ntlm_password) check_ntlm_password: guest had nothing to say [2011/06/30 14:31:25.431988, 4] auth/auth_sam.c:180(sam_account_ok) sam_account_ok: Checking SMB password for user dichev [2011/06/30 14:31:25.432048, 5] auth/auth_sam.c:162(logon_hours_ok) logon_hours_ok: user dichev allowed to logon at this time (Thu Jun 30 11:31:25 2011) [2011/06/30 14:31:25.438531, 5] auth/auth_util.c:649(make_server_info_sam) make_server_info_sam: made server info for user dichev -> dichev [2011/06/30 14:31:25.438636, 3] auth/auth.c:265(check_ntlm_password) check_ntlm_password: sam authentication for user [dichev] succeeded [2011/06/30 14:31:25.438679, 5] auth/auth.c:291(check_ntlm_password) check_ntlm_password: PAM Account for user [dichev] succeeded [2011/06/30 14:31:25.438701, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [dichev] -> [dichev] -> [dichev] succeeded [2011/06/30 14:31:25.438726, 5] auth/auth_util.c:2119(free_user_info) attempting to free (and zero) a user_info structure [2011/06/30 14:31:25.438747, 10] auth/auth_util.c:2123(free_user_info) It seems that in the first(the bad) request the machine does not report the domain name and its machine name ... don't know why. All ideas appreciated !! tks Ivan Dichev -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
