|24 Jan 2013||#1|
| || |
Samba as PDC: "The trust relationship ... failed" *from the beginning*
When I try a net logon from Windows 7 64-bit Business (don't have any other Windows machines), I get "The trust relationship between this workstation and the primary domain failed". The discussion I've found around the Web regarding this error message seems to be only in the context of the 30 day password expiry issue, where the solution is to simply rejoin the domain. Unfortunately, I have this problem *always*, and rejoining does not help. I have not been able to do a net login at all, from the first time I tried. At the same time, there's no problem accessing the Samba shares by going to \\SMB in Windows Explorer and logging in with the same user accounts.
# smbstatus Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64
We had been using Samba for simple file sharing, with no domain functionality enabled, and with the Windows machines on the network configured as members of the workgroup. We recently decided to set Samba as a PDC and support roaming profiles, and have been blocked by this trust error.
I made some changes to smb.conf, which can be seen here: http://pastebin.com/raw.php?i=qKvQq3W2
The profiles directory was chmod 2775 and its group changed from root to users. The netlogon directory is 755. Initially, in smb.conf the name resolve order was starting with dns, but Windows 7 kept giving me an error about not finding the domain when I tried to change from workgroup to domain, so I took that out and set wins as the first item in the list.
# cat /etc/samba/smbusers: root = administrator Administrator admin nobody = guest pcguest smbguest
net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=d net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d net rpc rights grant -U root "URBASE\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
# tail /var/log/samba/log.smbd [2013/01/23 14:26:16.350332, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:26:16.352562, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$ [2013/01/23 14:37:22.518159, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$
One thing I'm unsure of is the DNS suffixes thing which seems to be mentioned on some sites in association with this. In the Windows clients, under "Append these DNS suffixes (in order)" we've normally had as suffix the DNS master zone for the LAN, which is different from the domain name in smb.conf -- if that matters at all given joining the domain should be using WINS instead of DNS for name resolution. I tried adding the domain in there anyway, but it doesn't help.
Can anyone kindly help? I've asked on a couple of other forums but to no avail...
Brought in a new Windows 7 64-bit machine and that one works... So it seems to be a Windows configuration issue, but what other settings could possibly cause this authentication failure? The new machine is a recent clean install and uses MSE as antivirus, whereas the older workstations use AVG and Ad-Aware. But I doubt the antivirus could cause the difference. And I don't see any difference in the network configuration of the machines. Any suggestions? I can't simply replace all Windows clients on our network...
|My System Specs|
|25 Jan 2013||#2|
| || |
It may help to manually add the Domain's DNS server IP's to the IPv4 properties of the network adaptor you are trying to connect with.
Have you tried.
Control Panel - Administrative Tools - Local Security Policy
Local Policies - Security Options
Network security: LAN Manager authentication level
Set to Send LM & NTLM responses only
Set the Minimum session security for NTLM SSP
Disable Require 128-bit encryption
The A/V's can be very problematic.
|My System Specs|
|Similar help and support threads for2: Samba as PDC: "The trust relationship ... failed" *from the beginning*|
|"Failed-Virus scan failed" error when making downloads on chrome||Browsers & Mail|
|Time service issues causing Domain trust relationship to be broken||Network & Sharing|
|Workstation Giving logon errors. "The trust relationship"||Network & Sharing|
|The Trust relationship between the workstation and Domain Failed -Win7||Network & Sharing|
|computer dropping from domain "the trust relationship" failed||Network & Sharing|
|Trust relationship failed?||Network & Sharing|
|trust relationship bet. this workstation & the primary domain failed||Network & Sharing|