Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Samba PDC: "The trust relationship between this workstation and the primary domain failed"

  1. #1

    Unhappy Samba PDC: "The trust relationship between this workstation and the primary domain failed"

    Hi,

    My configuration is

    Code:
    # smbstatus
    
    Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64
    The LAN is on 172.16. and the Samba machine is also the LAN's DNS server.

    We had been using Samba for simple file sharing, with no domain functionality, and with the Windows machines on the network configured as members of the workgroup. We decided to set it as a PDC and support roaming profiles.

    I made some changes to smb.conf, which is here: http://pastebin.com/raw.php?i=HCY2cfHw The profiles directory was chmod 2775 and its group changed from root to users. The netlogon directory is 755. net groupmap list is empty. Initially, in smb.conf the name resolve order was starting with dns, but Windows 7 kept giving me an error about finding the domain when I tried to change from workgroup to domain, so I took that out.

    All our Windows machines are Windows 7 64-bit Business. I configured them as follows: Windows7 - SambaWiki (that is, as specified on that page, I only edited DomainCompatibilityMode and DNSNameResolutionRequired). Changing from workgroup to domain doesn't give me an error until I reboot and try to log in with one of the SMB users: "The trust relationship between this workstation and the primary domain failed". I can only log into the local machine account. If instead of changing from workgroup to domain directly I try to use the network ID wizard, it leads eventually to the same error when it tries to set up the domain user.

    There's no problem accessing the Samba shares, however.

    Code:
    # tail /var/log/samba/log.smbd
    [2013/01/23 14:26:16.350332,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
      _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$
    [2013/01/23 14:26:16.352562,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
      _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$
    [2013/01/23 14:37:22.518159,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
      _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$
    Why is it failing? I checked the smbpasswd file and I see BRIX$ in there (though in the Unix accounts, brix$ is in lowercase but my understanding is that's not a problem). Also, it looks like it was automatically made a member of the group users, but I don't think that matters.

    I don't know how to troubleshoot this. I've tried removing the machine from the domain, then taking it out of smbpasswd and the Unix accounts, and then rejoining, but same thing.

    Please help!

    [Edit: don't know if it matters, but the Windows 7 workstations may or may not have been upgrades from an initial Vista install, though I don't think upgraded from XP (2% chance). Unfortunately, I can't verify the history...].

  2. #2
    Join Date
    Mar 2010
    Location
    Austin - Texas
    Posts
    10,500
    Blog Entries
    48

    Smile Re: Samba PDC: "The trust relationship between this workstation and the primary domain failed"

    I have just not had a need to use Samba as a Domain Controller myself, but I found one interesting link you might look at here:

    Answer : [Samba] Rejecting auth request from client xxx machine account, win7,

    One of our moderators is really into Samba, but I think its for workgroups only, but you can look to see if there is more: openSUSE SuSE Linux HOWTOs and Tutorials by Swerdna

    If you do get a good lead that helps outside of the forum, you got to let us know what you found out and good luck with the problem.

    Thank You,
    My Blog: https://forums.opensuse.org/blogs/jdmcdaniel3/

    Software efficiency halves every 18 months, thus compensating for Moore's Law

    Its James again from Austin, Texas

  3. #3

    Default Re: Samba PDC: "The trust relationship between this workstation and the primary domain failed"

    The discussion there seems to be about the Windows machine changing its password automatically after 30 days and having to rejoin the domain. Everywhere I looked online regarding this error message, it seems to be under that context. But I don't see it applying to my case since it's not that the machine loses the ability to authenticate--it never does in the first place. And so their solution of rejoining the domain doesn't work (by now, I've tried that several times already).

    I will repost my question there, but I'm wondering, is there a Samba-specific forum anywhere? I had trouble finding one, surprisingly.

  4. #4
    Join Date
    Mar 2010
    Location
    Austin - Texas
    Posts
    10,500
    Blog Entries
    48

    Smile Re: Samba PDC: "The trust relationship between this workstation and the primary domain failed"

    Quote Originally Posted by Prune View Post
    The discussion there seems to be about the Windows machine changing its password automatically after 30 days and having to rejoin the domain. Everywhere I looked online regarding this error message, it seems to be under that context. But I don't see it applying to my case since it's not that the machine loses the ability to authenticate--it never does in the first place. And so their solution of rejoining the domain doesn't work (by now, I've tried that several times already).

    I will repost my question there, but I'm wondering, is there a Samba-specific forum anywhere? I had trouble finding one, surprisingly.
    All I have is a bunch of Links on the subject, but not sure how much they are worth:

    https://en.opensuse.org/Samba

    OpenSUSE 12.2 Samba Standalone Server With tdbsam Backend | HowtoForge - Linux Howtos and Tutorials

    Chapter 4. Domain Control

    Set up Samba to serve as a domain controller | TechRepublic

    Simple Domain Controller With Samba - The Cog

    https://wiki.samba.org/index.php/Samba4/Status

    Perhaps something will be helpful here.

    Thank You,
    My Blog: https://forums.opensuse.org/blogs/jdmcdaniel3/

    Software efficiency halves every 18 months, thus compensating for Moore's Law

    Its James again from Austin, Texas

  5. #5
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,086

    Default Re: Samba PDC: "The trust relationship between this workstation andthe primary domain failed"

    On 1/23/2013 5:06 PM, Prune wrote:
    >
    > Hi,
    >
    > My configuration is
    >
    >
    > Code:
    > --------------------
    > # smbstatus
    >
    > Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64
    > --------------------
    >
    >
    > The LAN is on 172.16. and the Samba machine is also the LAN's DNS
    > server.
    >
    > We had been using Samba for simple file sharing, with no domain
    > functionality, and with the Windows machines on the network configured
    > as members of the workgroup. We decided to set it as a PDC and support
    > roaming profiles.
    >
    > I made some changes to smb.conf, which is here:
    > http://pastebin.com/raw.php?i=HCY2cfHw The profiles directory was chmod
    > 2775 and its group changed from root to users. The netlogon directory is
    > 755. net groupmap list is empty. Initially, in smb.conf the name resolve
    > order was starting with dns, but Windows 7 kept giving me an error about
    > finding the domain when I tried to change from workgroup to domain, so I
    > took that out.
    >
    > All our Windows machines are Windows 7 64-bit Business. I configured
    > them as follows: 'Windows7 - SambaWiki'
    > (http://wiki.samba.org/index.php/Windows7) (that is, as specified on
    > that page, I only edited DomainCompatibilityMode and
    > DNSNameResolutionRequired). Changing from workgroup to domain doesn't
    > give me an error until I reboot and try to log in with one of the SMB
    > users: "The trust relationship between this workstation and the primary
    > domain failed". I can only log into the local machine account. If
    > instead of changing from workgroup to domain directly I try to use the
    > network ID wizard, it leads eventually to the same error when it tries
    > to set up the domain user.
    >

    <snip>
    >
    >
    > Why is it failing? I checked the smbpasswd file and I see BRIX$ in
    > there (though in the Unix accounts, brix$ is in lowercase but my
    > understanding is that's not a problem). Also, it looks like it was
    > automatically made a member of the group users, but I don't think that
    > matters.
    >
    > I don't know how to troubleshoot this. I've tried removing the machine
    > from the domain, then taking it out of smbpasswd and the Unix accounts,
    > and then rejoining, but same thing.
    >
    > Please help!
    >
    >

    Prune;
    What really stood out in your smb.conf was the parameter settings:
    Code:
    hosts allow = 172.16. 127.
    hosts deny = ALL
    Note the extra space in 172.16. 127. As best that I can tell you are denying
    all connections. A proper "hosts allow" should be all you need as others are
    automatically denied. For your information below is the [global] and [profiles]
    share of the smb.conf I currently use (Samba 3.6.10). It is not perfect but it
    works. You might want to check your smb.conf with:
    Code:
    testparm -vs
    The -v switch makes sure you see all the parameters and their values(including
    defaults), not just those set in smb.conf.

    I also note that you have setup a WINS server. Are all the clients pointed to
    this IP either manually or by dhcp?

    Code:
    [global]
    workgroup = MYDOMAIN
    interfaces = eth0 lo
    map to guest = Bad User
    passdb backend = tdbsam:/etc/samba/passdb.tdb
    passwd program = /usr/bin/passwd '%u'
    passwd chat = *New*password* %n\n*Re-enter*new*password* %n\n *Password*changed*
    passwd chat timeout = 30
    username map = /etc/samba/smbusers
    #	log level = 1 auth:3
    #	log level = 3
    log file = /var/log/samba/logsmbd.%m
    max log size = 1000
    max protocol = SMB2
    debug pid = Yes
    debug uid = Yes
    winbind enum users = yes
    winbind enum groups = yes
    name resolve order = wins host lmhosts bcast
    socket options = TCP_NODELAY
    printcap cache time = 750
    printing = cups
    printcap name = cups
    add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
    /bin/false '%u'
    add user script = /usr/sbin/useradd -m '%u'
    delete user script = /usr/sbin/userdel -r '%u'
    add group script = /usr/sbin/groupadd '%g'
    delete group script = /usr/sbin/groupdel '%g'
    logon path = \\%L\profiles\%U
    logon home = \\%L\%U\.9xprofile
    logon drive = S:
    domain logons = Yes
    os level = 127
    preferred master = Yes
    domain master =Yes
    dns proxy = No
    wins support = Yes
    cups options = raw
    host msdfs = No
    server signing = No
    [profiles]
    comment = Network Profiles Service
    path = %H
    read only = No
    store dos attributes = Yes
    create mask = 0600
    directory mask = 0700
    browseable = No
    profile acls = Yes
    use sendfile = Yes
    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green

  6. #6
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,086

    Default Re: Samba PDC: "The trust relationship between this workstation andthe primary domain failed"

    On 1/23/2013 8:26 PM, Prune wrote:
    >
    > The discussion there seems to be about the Windows machine changing its
    > password automatically after 30 days and having to rejoin the domain.
    > Everywhere I looked online regarding this error message, it seems to be
    > under that context. But I don't see it applying to my case since it's
    > not that the machine loses the ability to authenticate--it never does in
    > the first place. And so their solution of rejoining the domain doesn't
    > work (by now, I've tried that several times already).
    >
    > I will repost my question there, but I'm wondering, is there a
    > Samba-specific forum anywhere? I had trouble finding one, surprisingly.
    >
    >

    Prune;

    You can use "regedit" to prevent Windows from changing its password.

    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green

  7. #7
    Join Date
    Mar 2010
    Location
    Austin - Texas
    Posts
    10,500
    Blog Entries
    48

    Smile Re: Samba PDC: "The trust relationship between this workstation and the primary domain failed"

    And if you would like to have a file selection menu to edit those system files that works with KDE or GNOME, have a look here. It works fine on the smb.conf file or any system owned file.

    SYSEdit - System File Editor - Version 1.50: https://forums.opensuse.org/blogs/jd...rsion-1-00-60/

    Thank You,
    My Blog: https://forums.opensuse.org/blogs/jdmcdaniel3/

    Software efficiency halves every 18 months, thus compensating for Moore's Law

    Its James again from Austin, Texas

  8. #8
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,086

    Default Re: Samba PDC: "The trust relationship between this workstation andthe primary domain failed"

    On 1/23/2013 8:35 PM, PV wrote:

    >>

    > Prune;
    > What really stood out in your smb.conf was the parameter settings:
    >
    Code:
    > hosts allow = 172.16. 127.
    > hosts deny = ALL
    >
    >


    Never mind; just a bit of brain freeze on my part.


    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green

  9. #9

    Default Re: Samba PDC: "The trust relationship between this workstation and the primary domain failed"

    There's nothing in the DNS server about WINS. I did try adding it into the client's connection's settings, but it made no difference so I took it out again. In any case, I'm not sure that WINS problems are consistent with the authentication-type error I'm getting.

    Still haven't tried the net groupmap and net rpc rights commands because it's not clear to me if they're necessary if I don't require associations between Windows users/groups and the Samba/Linux side.

    One of the thing I noticed in the various links is that the examples don't use quite the same sets of parameters on different sites...

  10. #10
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,086

    Default Re: Samba PDC: "The trust relationship between this workstation andthe primary domain failed"

    On 1/24/2013 12:26 AM, Prune wrote:
    >
    > There's nothing in the DNS server about WINS. I did try adding it into
    > the client's connection's settings, but it made no difference so I took
    > it out again. In any case, I'm not sure that WINS problems are
    > consistent with the authentication-type error I'm getting.
    >
    > Still haven't tried the net groupmap and net rpc rights commands
    > because it's not clear to me if they're necessary if I don't require
    > associations between Windows users/groups and the Samba/Linux side.
    >
    > One of the thing I noticed in the various links is that the examples
    > don't use quite the same sets of parameters on different sites...
    >
    >

    Prune;

    Has a network login ever worked from a client? If not, have you created the
    users with:
    Code:
    smbpasswd -a <username>
    root should always have permission to add machines to the domain but for other
    users you need to use the "net rpc rights" utility.


    You do not set the WINS address via DNS. If are only a few clients they can be
    manually pointed to the WINS server. Network and Sharing > Connections >
    Properties > Internet Protocol Version 4(TCP/IPv4) > Properties > Advanced >
    WINS tab. Or it can be set via the dhcp server. If you are using dhcp on a
    consumer level router this is generally not possible. From Opensuse's dhcpd
    just add the following option in /etc/dhcpd.conf:
    Code:
    option netbios-name-servers X.Y.Z.W;
    Where X.Y.Z.W is the address of your WINS server.

    --
    P.V.
    "We're all in this together, I'm pulling for you" Red Green

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •