Re: [Samba] PDC: The trust relationship ... failed from the beginning
Hiii Were you able to resolve the issue. Thanks for the reply -Sreejith -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC: The trust relationship ... failed from the beginning
From: Eimac Dude [mailto:eimacd...@aol.com] Sent: 24 January 2013 19:43 To: samba@lists.samba.org Subject: [Samba] PDC: The trust relationship ... failed from the beginning Hi, When I try a net logon from Windows 7 64-bit Business (don't have any other Windows machines), I get The trust relationship between this workstation and the primary domain failed. The discussion I've found around the Web regarding this error message seems to be only in the context of the 30 day password expiry issue, where the solution is to simply rejoin the domain. Unfortunately, I have this problem *always*, and rejoining does not help. I have not been able to do a net login at all, from the first time I tried. At the same time, there's no problem accessing the Samba shares by going to \\SMB in Windows Explorer and logging in with the same user accounts. # smbstatus Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64 The LAN is on 172.16. and the Samba machine is also the LAN's DNS server; not using LDAP. We had been using Samba for simple file sharing, with no domain functionality enabled, and with the Windows machines on the network configured as members of the workgroup. We recently decided to set Samba as a PDC and support roaming profiles, and have been blocked by this trust error. I made some changes to smb.conf, which can be seen here: http://pastebin.com/raw.php?i=qKvQq3W2 The profiles directory was chmod 2775 and its group changed from root to users. The netlogon directory is 755. Initially, in smb.conf the name resolve order was starting with dns, but Windows 7 kept giving me an error about not finding the domain when I tried to change from workgroup to domain, so I took that out and set wins as the first item in the list. # cat /etc/samba/smbusers: root = administrator Administrator admin nobody = guest pcguest smbguest I added root to smbpasswd. I also executed the following: net groupmap add ntgroup=Domain Admins unixgroup=root rid=512 type=d net groupmap add ntgroup=Domain Users unixgroup=users rid=513 type=d net groupmap add ntgroup=Domain Guests unixgroup=nobody rid=514 type=d net rpc rights grant -U root URBASE\Domain Admins SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege The Windows machines are configured as specified on wiki.samba.org/index.php/Windows7 (that is, I only edited DomainCompatibilityMode and DNSNameResolutionRequired). Changing from workgroup to domain and rebooting, then trying to log in with one of the SMB users gives me the The trust relationship between this workstation and the primary domain failed error. I can only log into the local machine account. If, instead of changing from workgroup to domain directly, I try to use the network ID wizard, it eventually leads to the same error when it tries to set up the domain user. Looking at /etc/samba/smbpasswd, the machine account shows up there so the add machine script seems to be working; however, # tail /var/log/samba/log.smbd [2013/01/23 14:26:16.350332, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:26:16.352562, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:37:22.518159, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ Why is it not working? I don't know how to troubleshoot this. I've tried removing the machine from the domain then taking it out of smbpasswd and the Unix accounts, and then rejoining, but same errors. I tried manually adding the IP address in the Windows machine's WINS setting, but it doesn't make a difference. One thing I'm unsure of is the DNS suffixes thing which seems to be mentioned on some sites in association with this. In the Windows clients, under Append these DNS suffixes (in order) we've normally had as suffix the DNS master zone for the LAN, which is different from the domain name in smb.conf -- if that matters at all given joining the domain should be using WINS instead of DNS for name resolution. I tried adding the domain in there anyway, but it doesn't help. Can anyone kindly help? I've asked on a couple of other forums but to no avail... Are the clocks synchronised between the 2 machines? According to http://community.spiceworks.com/topic/170347-trust-relationship-between-this -workstation-and-primary-domain-failed clock discrepancy can be one cause of this problem. Moray. To err is human; to purr, feline. -- To unsubscribe from this list go
Re: [Samba] PDC: The trust relationship ... failed from the beginning
On 1/24/2013 7:31 PM, Nico Kadel-Garcia wrote: On Thu, Jan 24, 2013 at 8:57 PM, Eimac Dude eimacd...@aol.com wrote: Brought in a new Windows 7 64-bit machine and that one works... So it seems to be a Windows configuration issue, but what other settings could possibly cause this authentication failure? The new machine is a recent clean install and uses MSE as antivirus, whereas the older workstations use AVG and Ad-Aware. But I doubt the antivirus could cause the difference. And I don't see any difference in the network configuration of the machines. Any suggestions? I can't simply replace all Windows clients on our network... The new machine has a new hostname? Are they both statically configured in DNS? Do they both have all the system patches? And have you tried yanking out AVG and replacing it with MSE? All have same new patches. The new machine has a different hostname. But I've also tried changing the hostname of the old machine... The only thing I didn't test yet is removing AVG. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] PDC: The trust relationship ... failed from the beginning
Hi, When I try a net logon from Windows 7 64-bit Business (don't have any other Windows machines), I get The trust relationship between this workstation and the primary domain failed. The discussion I've found around the Web regarding this error message seems to be only in the context of the 30 day password expiry issue, where the solution is to simply rejoin the domain. Unfortunately, I have this problem *always*, and rejoining does not help. I have not been able to do a net login at all, from the first time I tried. At the same time, there's no problem accessing the Samba shares by going to \\SMB in Windows Explorer and logging in with the same user accounts. # smbstatus Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64 The LAN is on 172.16. and the Samba machine is also the LAN's DNS server; not using LDAP. We had been using Samba for simple file sharing, with no domain functionality enabled, and with the Windows machines on the network configured as members of the workgroup. We recently decided to set Samba as a PDC and support roaming profiles, and have been blocked by this trust error. I made some changes to smb.conf, which can be seen here: http://pastebin.com/raw.php?i=qKvQq3W2 The profiles directory was chmod 2775 and its group changed from root to users. The netlogon directory is 755. Initially, in smb.conf the name resolve order was starting with dns, but Windows 7 kept giving me an error about not finding the domain when I tried to change from workgroup to domain, so I took that out and set wins as the first item in the list. # cat /etc/samba/smbusers: root = administrator Administrator admin nobody = guest pcguest smbguest I added root to smbpasswd. I also executed the following: net groupmap add ntgroup=Domain Admins unixgroup=root rid=512 type=d net groupmap add ntgroup=Domain Users unixgroup=users rid=513 type=d net groupmap add ntgroup=Domain Guests unixgroup=nobody rid=514 type=d net rpc rights grant -U root URBASE\Domain Admins SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege The Windows machines are configured as specified on wiki.samba.org/index.php/Windows7 (that is, I only edited DomainCompatibilityMode and DNSNameResolutionRequired). Changing from workgroup to domain and rebooting, then trying to log in with one of the SMB users gives me the The trust relationship between this workstation and the primary domain failed error. I can only log into the local machine account. If, instead of changing from workgroup to domain directly, I try to use the network ID wizard, it eventually leads to the same error when it tries to set up the domain user. Looking at /etc/samba/smbpasswd, the machine account shows up there so the add machine script seems to be working; however, # tail /var/log/samba/log.smbd [2013/01/23 14:26:16.350332, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:26:16.352562, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:37:22.518159, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ Why is it not working? I don't know how to troubleshoot this. I've tried removing the machine from the domain then taking it out of smbpasswd and the Unix accounts, and then rejoining, but same errors. I tried manually adding the IP address in the Windows machine's WINS setting, but it doesn't make a difference. One thing I'm unsure of is the DNS suffixes thing which seems to be mentioned on some sites in association with this. In the Windows clients, under Append these DNS suffixes (in order) we've normally had as suffix the DNS master zone for the LAN, which is different from the domain name in smb.conf -- if that matters at all given joining the domain should be using WINS instead of DNS for name resolution. I tried adding the domain in there anyway, but it doesn't help. Can anyone kindly help? I've asked on a couple of other forums but to no avail... -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] PDC: The trust relationship ... failed from the beginning
Brought in a new Windows 7 64-bit machine and that one works... So it seems to be a Windows configuration issue, but what other settings could possibly cause this authentication failure? The new machine is a recent clean install and uses MSE as antivirus, whereas the older workstations use AVG and Ad-Aware. But I doubt the antivirus could cause the difference. And I don't see any difference in the network configuration of the machines. Any suggestions? I can't simply replace all Windows clients on our network... On 1/24/2013 11:43 AM, Eimac Dude wrote: Hi, When I try a net logon from Windows 7 64-bit Business (don't have any other Windows machines), I get The trust relationship between this workstation and the primary domain failed. The discussion I've found around the Web regarding this error message seems to be only in the context of the 30 day password expiry issue, where the solution is to simply rejoin the domain. Unfortunately, I have this problem *always*, and rejoining does not help. I have not been able to do a net login at all, from the first time I tried. At the same time, there's no problem accessing the Samba shares by going to \\SMB in Windows Explorer and logging in with the same user accounts. # smbstatus Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64 The LAN is on 172.16. and the Samba machine is also the LAN's DNS server; not using LDAP. We had been using Samba for simple file sharing, with no domain functionality enabled, and with the Windows machines on the network configured as members of the workgroup. We recently decided to set Samba as a PDC and support roaming profiles, and have been blocked by this trust error. I made some changes to smb.conf, which can be seen here: http://pastebin.com/raw.php?i=qKvQq3W2 The profiles directory was chmod 2775 and its group changed from root to users. The netlogon directory is 755. Initially, in smb.conf the name resolve order was starting with dns, but Windows 7 kept giving me an error about not finding the domain when I tried to change from workgroup to domain, so I took that out and set wins as the first item in the list. # cat /etc/samba/smbusers: root = administrator Administrator admin nobody = guest pcguest smbguest I added root to smbpasswd. I also executed the following: net groupmap add ntgroup=Domain Admins unixgroup=root rid=512 type=d net groupmap add ntgroup=Domain Users unixgroup=users rid=513 type=d net groupmap add ntgroup=Domain Guests unixgroup=nobody rid=514 type=d net rpc rights grant -U root URBASE\Domain Admins SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege The Windows machines are configured as specified on wiki.samba.org/index.php/Windows7 (that is, I only edited DomainCompatibilityMode and DNSNameResolutionRequired). Changing from workgroup to domain and rebooting, then trying to log in with one of the SMB users gives me the The trust relationship between this workstation and the primary domain failed error. I can only log into the local machine account. If, instead of changing from workgroup to domain directly, I try to use the network ID wizard, it eventually leads to the same error when it tries to set up the domain user. Looking at /etc/samba/smbpasswd, the machine account shows up there so the add machine script seems to be working; however, # tail /var/log/samba/log.smbd [2013/01/23 14:26:16.350332, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:26:16.352562, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:37:22.518159, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ Why is it not working? I don't know how to troubleshoot this. I've tried removing the machine from the domain then taking it out of smbpasswd and the Unix accounts, and then rejoining, but same errors. I tried manually adding the IP address in the Windows machine's WINS setting, but it doesn't make a difference. One thing I'm unsure of is the DNS suffixes thing which seems to be mentioned on some sites in association with this. In the Windows clients, under Append these DNS suffixes (in order) we've normally had as suffix the DNS master zone for the LAN, which is different from the domain name in smb.conf -- if that matters at all given joining the domain should be using WINS instead of DNS for name resolution. I tried adding the domain in there anyway, but it doesn't help. Can anyone kindly help? I've asked on a couple of other
Re: [Samba] PDC: The trust relationship ... failed from the beginning
On Thu, Jan 24, 2013 at 8:57 PM, Eimac Dude eimacd...@aol.com wrote: Brought in a new Windows 7 64-bit machine and that one works... So it seems to be a Windows configuration issue, but what other settings could possibly cause this authentication failure? The new machine is a recent clean install and uses MSE as antivirus, whereas the older workstations use AVG and Ad-Aware. But I doubt the antivirus could cause the difference. And I don't see any difference in the network configuration of the machines. Any suggestions? I can't simply replace all Windows clients on our network... The new machine has a new hostname? Are they both statically configured in DNS? Do they both have all the system patches? And have you tried yanking out AVG and replacing it with MSE? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba