[Samba] The trust relationship between this workstation and the primary domain failed. (After SAMBA upgrade)
Hi folks I am writing to this list because Google was unable to provide me with a solution for my problem (neither did the samba list archives ; as far as I can see). I know that the topic The trust relationship between this workstation and the primary domain failed. is not unknown and a lot of people are suffering from it but I have the feeling that my problem is different. I am not using SAMBA as DC and try to join Windows 7 to it; but let me explain. I had a working configuration which looked as follows: - Windows 2008 R2 SP1 Domain Controller (Forest functional Level 2008 R2; so highest possible) (DNS Server, Global Catalog etc. It is only this ONE DC) - Windows 7 Workstation as a domain member of this domain (Works great; no Problems) - SAMBA 3.x running on Fedora 13 (+ updates so not the newest SAMBA3.5/3.6 releases but somwehere in the 3.1 - 3.3 releases) The SAMBA Box was joined to the domain and some directories on the Fedora box were shared. I was able to access them from my Windows 7 Box without any problems. So SAMBA was a perfectc ADS member. Everything was running fine until . I decided to upgrade (reinstall) my box with Fedora 16 The Fedora Box now has the newest SAMBA release (samba-3.6.3-78.fc16.i686) installed. I reconfigured SAMBA by - re-created the same users with the same uid/gid on the box - configuring DNS as it was before - copied back /etc/krb5.conf - copied back /etc/samba/smb.conf and /etc/samba/smbusers (Basically I used the new smb.conf and replaced the necessary information. I have an include file ads.conf for my ADS configuration which I inject into smb.conf. So no typos or mssing something) - Did a: kinit administra...@mydomain.com (successful) - Did a: net ads join -U Administrator (successful) - Did a: net ads testjoin (- Join is OK) - Did a: smbclient mydc\\myshare -U Administrator (could access the share) (OK. smbclient does not use the local Samba-Daemon but directly connects to the DC. So not really a test) So everyting was as it was before with the execption that when I try to access the SAMBA box from my Windows 7 Box I get: - The trust relationship between this workstation and the primary domain failed. - /var/log/samba/log.win7box shows error messages: [2012/03/11 13:33:07.281548, 0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel) cli_rpc_pipe_open_schannel: failed to get schannel session key from server MYDC.MYDOMAIN.COM for domain MYDOMAIN. [2012/03/11 13:33:07.281867, 0] auth/auth_domain.c:193(connect_to_domain_password_server) connect_to_domain_password_server: unable to open the domain client session to machine MYDC.MYDOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED. [2012/03/11 13:33:07.284289, 0] rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel) cli_rpc_pipe_open_schannel: failed to get schannel session key from server MYDC.MYDOMAIN.COM for domain MYDOMAIN. [2012/03/11 13:33:07.284665, 0] auth/auth_domain.c:193(connect_to_domain_password_server) connect_to_domain_password_server: unable to open the domain client session to machine MYDC.MYDOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED. [2012/03/11 13:33:07.285166, 0] auth/auth_domain.c:292(domain_client_validate) domain_client_validate: Domain password server not available. When I do a Wireshark trace on the Linux system I see the SAMBA Daemon communicates with my domain Controller (MYDC) and gets some errors (when accessing the SAMBA Box from Win 7). No. TimeSourceDestination Protocol Info 9245 45.548203 192.168.1.131 192.168.1.3 SMB Negotiate Protocol Request 9247 45.584079 192.168.1.3 192.168.1.131 SMB Negotiate Protocol Response 9248 45.690020 192.168.1.131 192.168.1.3 SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE 9249 45.690874 192.168.1.3 192.168.1.131 SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: STATUS_MORE_PROCESSING_REQUIRED 9250 45.691254 192.168.1.131 192.168.1.3 SMB Session Setup AndX Request, NTLMSSP_AUTH, User: MYDOMAIN\Snoopy 9257 45.760270 192.168.1.3 192.168.1.4 SMB Negotiate Protocol Request 9258 45.760989 192.168.1.4 192.168.1.3 SMB Negotiate Protocol Response 9260 45.761266 192.168.1.3 192.168.1.4 SMB Session Setup AndX Request, User: anonymous 9261 45.761586 192.168.1.4 192.168.1.3 SMB Session Setup AndX Response 9262 45.763317 192.168.1.3 192.168.1.4 SMB Tree Connect AndX Request, Path: \\MYDC.MYDOMAIN.COM\IPC$ 9264 45.763683 192.168.1.4 192.168.1.3 SMB Tree Connect AndX Response 9265 45.763883 192.168.1.3 192.168.1.4 SMB NT
Re: [Samba] The trust relationship between this workstation and the primary domain failed.
Thanks John, I had seen references to that, but I was sort of hoping that we wouldn't have to do that because I saw a warning from Microsoft indicating that this might be a security risk. For anyone looking to do this, http://support.microsoft.com/kb/154501 seems to indicate that you need to set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange to 1. I might try and track our SambaPwdLastSet values for a bit longer to see if any of these are automatically updating. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] The trust relationship between this workstation and the primary domain failed.
Samba 3.5.6 PDC, Windows 7 client. A user was unable to log on this morning with this error. The samba log for the machine is full of: [2011/02/10 09:09:50.145387, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLIENT machine account CLIENT$ [2011/02/10 09:10:18.693306, 0] lib/util_sock.c:474(read_fd_with_timeout) [2011/02/10 09:10:18.693343, 0] lib/util_sock.c:1432(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. [2011/02/10 09:10:36.694575, 0] lib/util_sock.c:474(read_fd_with_timeout) [2011/02/10 09:10:36.694604, 0] lib/util_sock.c:1432(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. [2011/02/10 09:13:14.855541, 1] smbd/service.c:1070(make_connection_snum) (Those messages go back as far as April when the user started using the machine.) I've got a feeling that SambaPwdLastSet isn't getting updated in our LDAP database. Removing the client from the domain and rejoining it fixed the problem. from smb.conf: [netlogon] comment = Network Logon Service path = /share/common/netlogon guest ok = yes writable = no share modes = no write list = root, administrator # getfacl /share/common/netlogon getfacl: Removing leading '/' from absolute path names # file: share/common/netlogon # owner: root # group: root user::rwx group::r-x other::r-x Does anyone know why this might be? Or what can be done about it? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] The trust relationship between this workstation and the primary domain failed.
On Mon, May 23, 2011 at 4:00 AM, Andrew Spiers 7and...@gmail.com wrote: Samba 3.5.6 PDC, Windows 7 client. A user was unable to log on this morning with this error. The samba log for the machine is full of: [2011/02/10 09:09:50.145387, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLIENT machine account CLIENT$ [2011/02/10 09:10:18.693306, 0] lib/util_sock.c:474(read_fd_with_timeout) [2011/02/10 09:10:18.693343, 0] lib/util_sock.c:1432(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. [2011/02/10 09:10:36.694575, 0] lib/util_sock.c:474(read_fd_with_timeout) [2011/02/10 09:10:36.694604, 0] lib/util_sock.c:1432(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. [2011/02/10 09:13:14.855541, 1] smbd/service.c:1070(make_connection_snum) (Those messages go back as far as April when the user started using the machine.) I've got a feeling that SambaPwdLastSet isn't getting updated in our LDAP database. Removing the client from the domain and rejoining it fixed the problem. from smb.conf: [netlogon] comment = Network Logon Service path = /share/common/netlogon guest ok = yes writable = no share modes = no write list = root, administrator # getfacl /share/common/netlogon getfacl: Removing leading '/' from absolute path names # file: share/common/netlogon # owner: root # group: root user::rwx group::r-x other::r-x Does anyone know why this might be? Or what can be done about it? I believe you have to disable the machine password from being automatically changed on the client. The default is every 30 days. I believe if no user is logged in during the password exchange the Windows 7 box changes the password but samba does not get the change. See this thread: http://samba.2283325.n4.nabble.com/Windows-7-machine-trust-accounts-expiring-td2456812.html John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] The trust relationship between this workstation and the primary domain failed.
Samba DC (CVS 3.0.1pre1) on FreeBSD 5.1 and win2k (domain member). On samba i have a some domain groups: # net groupmap list Domain Admins (S-1-5-21-826284196-2975262035-2440006394-512) - wheel Domain Guests (S-1-5-21-826284196-2975262035-2440006394-514) - nobody Domain Users (S-1-5-21-826284196-2975262035-2440006394-513) - users On win2k i cannot permit access to file for this groups: C:\cacls c:\file /E /G Domain\Domain Admins:F The trust relationship between this workstation and the primary domain failed. C:\cacls c:\file /E /G Domain\Domain Users:R The trust relationship between this workstation and the primary domain failed. For users this works: C:\cacls c:\file /E /G Domain\User:F processed file: c:\file samba 2.2.8a don't have this problem: C:\cacls c:\file /E /G Domain\Domain Admins:F processed file: c:\file C:\cacls c:\file /E /G Domain\Domain Users:R processed file: c:\file C:\cacls c:\file /E /G Domain\user:R processed file: c:\file C:\cacls c:\file c:\file Domain\Domain Admins:F Domain\Domain Users:R Domain\user:R Why ? Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba