Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Samba as PDC: "The trust relationship ... failed" *from the beginning*


24 Jan 2013   #1

Business 64
 
 
Samba as PDC: "The trust relationship ... failed" *from the beginning*

Hi,

When I try a net logon from Windows 7 64-bit Business (don't have any other Windows machines), I get "The trust relationship between this workstation and the primary domain failed". The discussion I've found around the Web regarding this error message seems to be only in the context of the 30 day password expiry issue, where the solution is to simply rejoin the domain. Unfortunately, I have this problem *always*, and rejoining does not help. I have not been able to do a net login at all, from the first time I tried. At the same time, there's no problem accessing the Samba shares by going to \\SMB in Windows Explorer and logging in with the same user accounts.

Code:
# smbstatus 
Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64
The LAN is on 172.16. and the Samba machine is also the LAN's DNS server; not using LDAP.

We had been using Samba for simple file sharing, with no domain functionality enabled, and with the Windows machines on the network configured as members of the workgroup. We recently decided to set Samba as a PDC and support roaming profiles, and have been blocked by this trust error.

I made some changes to smb.conf, which can be seen here: http://pastebin.com/raw.php?i=qKvQq3W2

The profiles directory was chmod 2775 and its group changed from root to users. The netlogon directory is 755. Initially, in smb.conf the name resolve order was starting with dns, but Windows 7 kept giving me an error about not finding the domain when I tried to change from workgroup to domain, so I took that out and set wins as the first item in the list.

Code:
# cat /etc/samba/smbusers: 
root = administrator Administrator admin 
nobody = guest pcguest smbguest
I added root to smbpasswd. I also executed the following:

Code:
net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d 
net groupmap add ntgroup="Domain Users"  unixgroup=users rid=513 type=d 
net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d 
net rpc rights grant -U root "URBASE\Domain Admins"  SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege  SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
The Windows machines are configured as specified on wiki.samba.org/index.php/Windows7 (that is, I only edited DomainCompatibilityMode and DNSNameResolutionRequired). Changing from workgroup to domain and rebooting, then trying to log in with one of the SMB users gives me the "The trust relationship between this workstation and the primary domain failed" error. I can only log into the local machine account. If, instead of changing from workgroup to domain directly, I try to use the network ID wizard, it eventually leads to the same error when it tries to set up the domain user. Looking at /etc/samba/smbpasswd, the machine account shows up there so the add machine script seems to be working; however,

Code:
# tail /var/log/samba/log.smbd 
[2013/01/23 14:26:16.350332, 0]  rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) 
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting  auth request from client BRIX machine account BRIX$ 
[2013/01/23 14:26:16.352562, 0]  rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) 
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting  auth request from client BRIX machine account BRIX$ 
[2013/01/23 14:37:22.518159, 0]  rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) 
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting  auth request from client BRIX machine account BRIX$
Why is it not working? I don't know how to troubleshoot this. I've tried removing the machine from the domain then taking it out of smbpasswd and the Unix accounts, and then rejoining, but same errors. I tried manually adding the IP address in the Windows machine's WINS setting, but it doesn't make a difference.

One thing I'm unsure of is the DNS suffixes thing which seems to be mentioned on some sites in association with this. In the Windows clients, under "Append these DNS suffixes (in order)" we've normally had as suffix the DNS master zone for the LAN, which is different from the domain name in smb.conf -- if that matters at all given joining the domain should be using WINS instead of DNS for name resolution. I tried adding the domain in there anyway, but it doesn't help.

Can anyone kindly help? I've asked on a couple of other forums but to no avail...

[EDIT]

Brought in a new Windows 7 64-bit machine and that one works... So it seems to be a Windows configuration issue, but what other settings could possibly cause this authentication failure? The new machine is a recent clean install and uses MSE as antivirus, whereas the older workstations use AVG and Ad-Aware. But I doubt the antivirus could cause the difference. And I don't see any difference in the network configuration of the machines. Any suggestions? I can't simply replace all Windows clients on our network...


My System SpecsSystem Spec
.

25 Jan 2013   #2

Windows 7 Ult, Windows 8.1 Pro,
 
 

It may help to manually add the Domain's DNS server IP's to the IPv4 properties of the network adaptor you are trying to connect with.

Have you tried.
Control Panel - Administrative Tools - Local Security Policy

Local Policies - Security Options

Network security: LAN Manager authentication level
Set to Send LM & NTLM responses only

Set the Minimum session security for NTLM SSP
Disable Require 128-bit encryption

The A/V's can be very problematic.
My System SpecsSystem Spec
Reply

 Samba as PDC: "The trust relationship ... failed" *from the beginning*




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:48 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33