> From: Eimac Dude [mailto:eimacd...@aol.com] > Sent: 24 January 2013 19:43 > To: samba@lists.samba.org > Subject: [Samba] PDC: "The trust relationship ... failed" from the > beginning > > Hi, > > When I try a net logon from Windows 7 64-bit Business (don't have any > other Windows machines), I get "The trust relationship between this > workstation and the primary domain failed". The discussion I've found > around the Web regarding this error message seems to be only in the > context of the 30 day password expiry issue, where the solution is to > simply rejoin the domain. Unfortunately, I have this problem *always*, > and rejoining does not help. I have not been able to do a net login at > all, from the first time I tried. At the same time, there's no problem > accessing the Samba shares by going to \\SMB in Windows Explorer and > logging in with the same user accounts. > > # smbstatus > Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64 > > The LAN is on 172.16. and the Samba machine is also the LAN's DNS > server; not using LDAP. > > We had been using Samba for simple file sharing, with no domain > functionality enabled, and with the Windows machines on the network > configured as members of the workgroup. We recently decided to set > Samba as a PDC and support roaming profiles, and have been blocked by > this trust error. > > I made some changes to smb.conf, which can be seen here: > http://pastebin.com/raw.php?i=qKvQq3W2 > > The profiles directory was chmod 2775 and its group changed from root > to users. The netlogon directory is 755. Initially, in smb.conf the > name resolve order was starting with dns, but Windows 7 kept giving me > an error about not finding the domain when I tried to change from > workgroup to domain, so I took that out and set wins as the first item > in the list. > > # cat /etc/samba/smbusers: > root = administrator Administrator admin nobody = guest pcguest > smbguest > > I added root to smbpasswd. I also executed the following: > > net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d > net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=d > net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 > type=d net rpc rights grant -U root "URBASE\Domain Admins" > SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege > SeDiskOperatorPrivilege SeRemoteShutdownPrivilege > > The Windows machines are configured as specified on > wiki.samba.org/index.php/Windows7 (that is, I only edited > DomainCompatibilityMode and DNSNameResolutionRequired). Changing from > workgroup to domain and rebooting, then trying to log in with one of > the SMB users gives me the "The trust relationship between this > workstation and the primary domain failed" error. I can only log into > the local machine account. If, instead of changing from workgroup to > domain directly, I try to use the network ID wizard, it eventually > leads to the same error when it tries to set up the domain user. > Looking at /etc/samba/smbpasswd, the machine account shows up there so > the add machine script seems to be working; however, > > # tail /var/log/samba/log.smbd > [2013/01/23 14:26:16.350332, 0] > rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. > Rejecting auth request from client BRIX machine account BRIX$ > [2013/01/23 14:26:16.352562, 0] > rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. > Rejecting auth request from client BRIX machine account BRIX$ > [2013/01/23 14:37:22.518159, 0] > rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. > Rejecting auth request from client BRIX machine account BRIX$ > > Why is it not working? I don't know how to troubleshoot this. I've > tried removing the machine from the domain then taking it out of > smbpasswd and the Unix accounts, and then rejoining, but same errors. I > tried manually adding the IP address in the Windows machine's WINS > setting, but it doesn't make a difference. > > One thing I'm unsure of is the DNS suffixes thing which seems to be > mentioned on some sites in association with this. In the Windows > clients, under "Append these DNS suffixes (in order)" we've normally > had as suffix the DNS master zone for the LAN, which is different from > the domain name in smb.conf -- if that matters at all given joining the > domain should be using WINS instead of DNS for name resolution. I tried > adding the domain in there anyway, but it doesn't help. > > Can anyone kindly help? I've asked on a couple of other forums but to > no avail... > >
Are the clocks synchronised between the 2 machines? According to http://community.spiceworks.com/topic/170347-trust-relationship-between-this -workstation-and-primary-domain-failed clock discrepancy can be one cause of this problem. Moray. "To err is human; to purr, feline." -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba