Re: [Samba] BDC Rejecting auth request from client + Windows 7
We are at a university and have no control over the network, thus I made the BDC use a dynamic ip so its on the same subnet as the clients. The PDC is running Samba v 3.5.10-125(Centos 6.3) and the BDC is 3.5.19-44(Centos 5.8) Both servers use the same LDAP server. pdbedit does show the same accounts on both servers. Here is my smb.conf for the PDC: [global] workgroup = netbios name = server string = PDC %v encrypt passwords = yes #enable privileges = yes passdb backend = ldapsam:ldap://x.x.x.x ldapsam:trusted = yes domain master = yes preferred master = yes local master = yes os level = 255 dns proxy = yes wins support = yes name resolve order = host wins lmhosts bcast domain logons = yes client ntlmv2 auth = yes loglevel = 3 log file = /var/log/samba/log.%m syslog = 0 time server = yes ldap suffix = dc=x,dc=x,dc=x ldap user suffix = ou=people ldap group suffix = ou=group ldap machine suffix = ou=machines ldap idmap suffix = ou=Idmap ldap ssl = start tls ldap admin dn = cn=samba,ou=DSA,dc=x,dc=x,dc=x logon path = \\%L\profiles\%U logon script = netlogon.bat time server = Yes deadtime = 10 add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u case sensitive = No dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd printcap name = /etc/printcap load printers = no interfaces = eth0 bind interfaces only = yes And for the BDC: [global] workgroup = netbios name = BDC server string = BDC %v encrypt passwords = yes enable privileges = yes passdb backend = ldapsam:ldap://pavlov.cbi.utsa.edu ldapsam:trusted = yes domain master = no client ntlmv2 auth = yes local master = yes preferred master = yes os level = 50 dns proxy = no wins server = x.x.x.x domain logons = yes loglevel = 3 log file = /var/log/samba/log.%m syslog = 0 time server = yes ldap suffix = dc=x,dc=x,dc=x ldap user suffix = ou=people ldap group suffix = ou=group ldap machine suffix = ou=machines ldap idmap suffix = ou=Idmap ldap ssl = start tls ldap admin dn = cn=samba,ou=DSA,dc=x,dc=x,dc=x logon path = logon script = netlogon.bat remote announce = x.x.x.x/ remote browse sync = x.x.x.x printcap name = /etc/printcap load printers = no interfaces = eth2 bind interfaces only = yes add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u On Fri, Feb 8, 2013 at 2:34 PM, Gaiseric Vandal gaiseric.van...@gmail.comwrote: I don't quite understand- why does the BDC have a dynamic IP address. Or have a I misunderstood? The DHCP server can provide the IP of the WINS servers to DHCP clients.Are the XP and Win 7 workstations on a separate subnet than the servers? What version are the samba servers?Do both samba server point to a single LDAP server or do they each have their own LDAP server in replication?Does pdbedit -Lv show the same accounts on each DC? Is it possible that the Windows 7 machine accounts have not replicated to the BDC? Have to specificied the ports in the smb.conf file- by default samba uses ports 137,138, and 445. In theory you can disable port 445 (it reduces some the transport warnings) but I find that causes problems with name resolution when a router or vpn is involved. So better off just sticking with the defaults. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of David Noriega Sent: Friday, February 08, 2013 1:56 PM To: samba@lists.samba.org Subject: [Samba] BDC Rejecting auth request from client + Windows 7 Just some background: In our environment
[Samba] BDC Rejecting auth request from client + Windows 7
Just some background: In our environment, we are running both a PDC and BDC. The local network setup has static ips on a different subnet from dhcp ips, thus the PDC has a static ip and the BDC has a dynamic one so the Windows machines are able to see the domain without hardcoding in the ip of the PDC as a wins on each machine. This has worked fine for Windows XP. We are also using ldap as the backend. Now we have a Windows 7 box and I have followed various instructions and modified entries within the registry as everyone else has specified. While I can join the domain, after reboot I get the trust relationship failed error(or on a rare occasion it will say no logon servers available). Checking the logs I have mapped out the following: 1. Win7 client asks to join the domain 2. PDC responds and adds machine to ldap 3. Win7 accepts and tests machine account 4. BDC rejects auth request 5. Win7 logs this, but still shows successful join message and reboots 6. Win7 then refused to login on the domain. I can type in gibberish and still get the trust relationship failed message. Here is the following from the BDC: [2013/02/08 13:11:05.458750, 2] lib/smbldap.c:950(smbldap_open_connection) smbldap_open_connection: connection opened [2013/02/08 13:11:05.504483, 2] ../libcli/auth/credentials.c:307(netlogon_creds _server_check_internal) credentials check failed [2013/02/08 13:11:05.504529, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth enticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLASSROOM machine account CLASSROOM$ [2013/02/08 13:11:05.524195, 2] ../libcli/auth/credentials.c:307(netlogon_creds _server_check_internal) credentials check failed [2013/02/08 13:11:05.524235, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth enticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLASSROOM machine account CLASSROOM$ [2013/02/08 13:11:15.914207, 0] lib/util_sock.c:474(read_fd_with_timeout) [2013/02/08 13:11:15.914316, 0] lib/util_sock.c:1441(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] BDC Rejecting auth request from client + Windows 7
I don't quite understand- why does the BDC have a dynamic IP address. Or have a I misunderstood? The DHCP server can provide the IP of the WINS servers to DHCP clients.Are the XP and Win 7 workstations on a separate subnet than the servers? What version are the samba servers?Do both samba server point to a single LDAP server or do they each have their own LDAP server in replication?Does pdbedit -Lv show the same accounts on each DC? Is it possible that the Windows 7 machine accounts have not replicated to the BDC? Have to specificied the ports in the smb.conf file- by default samba uses ports 137,138, and 445. In theory you can disable port 445 (it reduces some the transport warnings) but I find that causes problems with name resolution when a router or vpn is involved. So better off just sticking with the defaults. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of David Noriega Sent: Friday, February 08, 2013 1:56 PM To: samba@lists.samba.org Subject: [Samba] BDC Rejecting auth request from client + Windows 7 Just some background: In our environment, we are running both a PDC and BDC. The local network setup has static ips on a different subnet from dhcp ips, thus the PDC has a static ip and the BDC has a dynamic one so the Windows machines are able to see the domain without hardcoding in the ip of the PDC as a wins on each machine. This has worked fine for Windows XP. We are also using ldap as the backend. Now we have a Windows 7 box and I have followed various instructions and modified entries within the registry as everyone else has specified. While I can join the domain, after reboot I get the trust relationship failed error(or on a rare occasion it will say no logon servers available). Checking the logs I have mapped out the following: 1. Win7 client asks to join the domain 2. PDC responds and adds machine to ldap 3. Win7 accepts and tests machine account 4. BDC rejects auth request 5. Win7 logs this, but still shows successful join message and reboots 6. Win7 then refused to login on the domain. I can type in gibberish and still get the trust relationship failed message. Here is the following from the BDC: [2013/02/08 13:11:05.458750, 2] lib/smbldap.c:950(smbldap_open_connection) smbldap_open_connection: connection opened [2013/02/08 13:11:05.504483, 2] ../libcli/auth/credentials.c:307(netlogon_creds _server_check_internal) credentials check failed [2013/02/08 13:11:05.504529, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth enticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLASSROOM machine account CLASSROOM$ [2013/02/08 13:11:05.524195, 2] ../libcli/auth/credentials.c:307(netlogon_creds _server_check_internal) credentials check failed [2013/02/08 13:11:05.524235, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth enticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLASSROOM machine account CLASSROOM$ [2013/02/08 13:11:15.914207, 0] lib/util_sock.c:474(read_fd_with_timeout) [2013/02/08 13:11:15.914316, 0] lib/util_sock.c:1441(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba