Samba PDC: "The trust relationship between this workstation and the primary domain failed"

Hi,

My configuration is

# smbstatus

Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64

The LAN is on 172.16. and the Samba machine is also the LAN’s DNS server.

We had been using Samba for simple file sharing, with no domain functionality, and with the Windows machines on the network configured as members of the workgroup. We decided to set it as a PDC and support roaming profiles.

I made some changes to smb.conf, which is here: http://pastebin.com/raw.php?i=HCY2cfHw The profiles directory was chmod 2775 and its group changed from root to users. The netlogon directory is 755. net groupmap list is empty. Initially, in smb.conf the name resolve order was starting with dns, but Windows 7 kept giving me an error about finding the domain when I tried to change from workgroup to domain, so I took that out.

All our Windows machines are Windows 7 64-bit Business. I configured them as follows: Windows7 - SambaWiki (that is, as specified on that page, I only edited DomainCompatibilityMode and DNSNameResolutionRequired). Changing from workgroup to domain doesn’t give me an error until I reboot and try to log in with one of the SMB users: “The trust relationship between this workstation and the primary domain failed”. I can only log into the local machine account. If instead of changing from workgroup to domain directly I try to use the network ID wizard, it leads eventually to the same error when it tries to set up the domain user.

There’s no problem accessing the Samba shares, however.

# tail /var/log/samba/log.smbd
[2013/01/23 14:26:16.350332,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$
[2013/01/23 14:26:16.352562,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$
[2013/01/23 14:37:22.518159,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BRIX machine account BRIX$

Why is it failing? I checked the smbpasswd file and I see BRIX$ in there (though in the Unix accounts, brix$ is in lowercase but my understanding is that’s not a problem). Also, it looks like it was automatically made a member of the group users, but I don’t think that matters.

I don’t know how to troubleshoot this. I’ve tried removing the machine from the domain, then taking it out of smbpasswd and the Unix accounts, and then rejoining, but same thing.

Please help!

[Edit: don’t know if it matters, but the Windows 7 workstations may or may not have been upgrades from an initial Vista install, though I don’t think upgraded from XP (2% chance). Unfortunately, I can’t verify the history…].

I have just not had a need to use Samba as a Domain Controller myself, but I found one interesting link you might look at here:

Answer : [Samba] Rejecting auth request from client xxx machine account, win7,

One of our moderators is really into Samba, but I think its for workgroups only, but you can look to see if there is more: openSUSE SuSE Linux HOWTOs and Tutorials by Swerdna

If you do get a good lead that helps outside of the forum, you got to let us know what you found out and good luck with the problem.

Thank You,

The discussion there seems to be about the Windows machine changing its password automatically after 30 days and having to rejoin the domain. Everywhere I looked online regarding this error message, it seems to be under that context. But I don’t see it applying to my case since it’s not that the machine loses the ability to authenticate–it never does in the first place. And so their solution of rejoining the domain doesn’t work (by now, I’ve tried that several times already).

I will repost my question there, but I’m wondering, is there a Samba-specific forum anywhere? I had trouble finding one, surprisingly.

All I have is a bunch of Links on the subject, but not sure how much they are worth:

https://en.opensuse.org/Samba

OpenSUSE 12.2 Samba Standalone Server With tdbsam Backend | HowtoForge - Linux Howtos and Tutorials

Chapter 4. Domain Control

Set up Samba to serve as a domain controller | TechRepublic

Simple Domain Controller With Samba - The Cog

https://wiki.samba.org/index.php/Samba4/Status

Perhaps something will be helpful here.

Thank You,

On 1/23/2013 5:06 PM, Prune wrote:
>
> Hi,
>
> My configuration is
>
>
> Code:
> --------------------
> # smbstatus
>
> Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64
> --------------------
>
>
> The LAN is on 172.16. and the Samba machine is also the LAN’s DNS
> server.
>
> We had been using Samba for simple file sharing, with no domain
> functionality, and with the Windows machines on the network configured
> as members of the workgroup. We decided to set it as a PDC and support
> roaming profiles.
>
> I made some changes to smb.conf, which is here:
> http://pastebin.com/raw.php?i=HCY2cfHw The profiles directory was chmod
> 2775 and its group changed from root to users. The netlogon directory is
> 755. net groupmap list is empty. Initially, in smb.conf the name resolve
> order was starting with dns, but Windows 7 kept giving me an error about
> finding the domain when I tried to change from workgroup to domain, so I
> took that out.
>
> All our Windows machines are Windows 7 64-bit Business. I configured
> them as follows: ‘Windows7 - SambaWiki’
> (http://wiki.samba.org/index.php/Windows7) (that is, as specified on
> that page, I only edited DomainCompatibilityMode and
> DNSNameResolutionRequired). Changing from workgroup to domain doesn’t
> give me an error until I reboot and try to log in with one of the SMB
> users: “The trust relationship between this workstation and the primary
> domain failed”. I can only log into the local machine account. If
> instead of changing from workgroup to domain directly I try to use the
> network ID wizard, it leads eventually to the same error when it tries
> to set up the domain user.
>
<snip>
>
>
> Why is it failing? I checked the smbpasswd file and I see BRIX$ in
> there (though in the Unix accounts, brix$ is in lowercase but my
> understanding is that’s not a problem). Also, it looks like it was
> automatically made a member of the group users, but I don’t think that
> matters.
>
> I don’t know how to troubleshoot this. I’ve tried removing the machine
> from the domain, then taking it out of smbpasswd and the Unix accounts,
> and then rejoining, but same thing.
>
> Please help!
>
>
Prune;
What really stood out in your smb.conf was the parameter settings:

hosts allow = 172.16. 127.
hosts deny = ALL

Note the extra space in 172.16. 127. As best that I can tell you are denying
all connections. A proper “hosts allow” should be all you need as others are
automatically denied. For your information below is the [global] and [profiles]
share of the smb.conf I currently use (Samba 3.6.10). It is not perfect but it
works. You might want to check your smb.conf with:

testparm -vs

The -v switch makes sure you see all the parameters and their values(including
defaults), not just those set in smb.conf.

I also note that you have setup a WINS server. Are all the clients pointed to
this IP either manually or by dhcp?

[global]
workgroup = MYDOMAIN
interfaces = eth0 lo
map to guest = Bad User
passdb backend = tdbsam:/etc/samba/passdb.tdb
passwd program = /usr/bin/passwd '%u'
passwd chat = *New*password* %n
*Re-enter*new*password* %n
 *Password*changed*
passwd chat timeout = 30
username map = /etc/samba/smbusers
#	log level = 1 auth:3
#	log level = 3
log file = /var/log/samba/logsmbd.%m
max log size = 1000
max protocol = SMB2
debug pid = Yes
debug uid = Yes
winbind enum users = yes
winbind enum groups = yes
name resolve order = wins host lmhosts bcast
socket options = TCP_NODELAY
printcap cache time = 750
printing = cups
printcap name = cups
add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s
/bin/false '%u'
add user script = /usr/sbin/useradd -m '%u'
delete user script = /usr/sbin/userdel -r '%u'
add group script = /usr/sbin/groupadd '%g'
delete group script = /usr/sbin/groupdel '%g'
logon path = \\%L\profiles\%U
logon home = \\%L\%U\.9xprofile
logon drive = S:
domain logons = Yes
os level = 127
preferred master = Yes
domain master =Yes
dns proxy = No
wins support = Yes
cups options = raw
host msdfs = No
server signing = No
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = No
profile acls = Yes
use sendfile = Yes

–
P.V.
“We’re all in this together, I’m pulling for you” Red Green

On 1/23/2013 8:26 PM, Prune wrote:
>
> The discussion there seems to be about the Windows machine changing its
> password automatically after 30 days and having to rejoin the domain.
> Everywhere I looked online regarding this error message, it seems to be
> under that context. But I don’t see it applying to my case since it’s
> not that the machine loses the ability to authenticate–it never does in
> the first place. And so their solution of rejoining the domain doesn’t
> work (by now, I’ve tried that several times already).
>
> I will repost my question there, but I’m wondering, is there a
> Samba-specific forum anywhere? I had trouble finding one, surprisingly.
>
>
Prune;

You can use “regedit” to prevent Windows from changing its password.

–
P.V.
“We’re all in this together, I’m pulling for you” Red Green

And if you would like to have a file selection menu to edit those system files that works with KDE or GNOME, have a look here. It works fine on the smb.conf file or any system owned file.

SYSEdit - System File Editor - Version 1.50: https://forums.opensuse.org/blogs/jdmcdaniel3/sysedit-system-file-editor-version-1-00-60/

Thank You,

On 1/23/2013 8:35 PM, PV wrote:

>>
> Prune;
> What really stood out in your smb.conf was the parameter settings:
>

> hosts allow = 172.16. 127.
> hosts deny = ALL
> 

>

Never mind; just a bit of brain freeze on my part.

–
P.V.
“We’re all in this together, I’m pulling for you” Red Green

There’s nothing in the DNS server about WINS. I did try adding it into the client’s connection’s settings, but it made no difference so I took it out again. In any case, I’m not sure that WINS problems are consistent with the authentication-type error I’m getting.

Still haven’t tried the net groupmap and net rpc rights commands because it’s not clear to me if they’re necessary if I don’t require associations between Windows users/groups and the Samba/Linux side.

One of the thing I noticed in the various links is that the examples don’t use quite the same sets of parameters on different sites…

On 1/24/2013 12:26 AM, Prune wrote:
>
> There’s nothing in the DNS server about WINS. I did try adding it into
> the client’s connection’s settings, but it made no difference so I took
> it out again. In any case, I’m not sure that WINS problems are
> consistent with the authentication-type error I’m getting.
>
> Still haven’t tried the net groupmap and net rpc rights commands
> because it’s not clear to me if they’re necessary if I don’t require
> associations between Windows users/groups and the Samba/Linux side.
>
> One of the thing I noticed in the various links is that the examples
> don’t use quite the same sets of parameters on different sites…
>
>
Prune;

Has a network login ever worked from a client? If not, have you created the
users with:

smbpasswd -a <username>

root should always have permission to add machines to the domain but for other
users you need to use the “net rpc rights” utility.

You do not set the WINS address via DNS. If are only a few clients they can be
manually pointed to the WINS server. Network and Sharing > Connections >
Properties > Internet Protocol Version 4(TCP/IPv4) > Properties > Advanced >
WINS tab. Or it can be set via the dhcp server. If you are using dhcp on a
consumer level router this is generally not possible. From Opensuse’s dhcpd
just add the following option in /etc/dhcpd.conf:

option netbios-name-servers X.Y.Z.W;

Where X.Y.Z.W is the address of your WINS server.

–
P.V.
“We’re all in this together, I’m pulling for you” Red Green

It never has.

If not, have you created the
users with:

smbpasswd -a

Yes, of course. smbpasswd has all the users, including root. As I mentioned, there’s no issue logging onto the Samba shares and accessing the files by either running the “net use” command in cmd.exe or going to \SMB in Windows Explorer and logging in with a user account and password.
The local machine doesn’t have these users, but I assume that’s the whole point of net logon, they don’t have to exist on the local machine.
The add machine script also appears to be working, as after the join attempt, smbpasswd contains the client machine name$, and a corresponding unix user has been created.

root should always have permission to add machines to the domain but for other
users you need to use the “net rpc rights” utility.

I ran the following, but still no cigar:

net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d
net groupmap add ntgroup="Domain Users"  unixgroup=users rid=513 type=d
net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d
net rpc rights grant -U root "MACROH\Domain Admins" SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege SeRemoteShutdownPrivilege

One thing I was missing from smb.conf was username map = /etc/samba/smbusers so I added it, and my smbusers contains

root = administrator Administrator admin
nobody = guest pcguest smbguest

Still no good.

You do not set the WINS address via DNS. If are only a few clients they can be
manually pointed to the WINS server. Network and Sharing > Connections >
Properties > Internet Protocol Version 4(TCP/IPv4) > Properties > Advanced >
WINS tab. Or it can be set via the dhcp server. If you are using dhcp on a
consumer level router this is generally not possible. From Opensuse’s dhcpd
just add the following option in /etc/dhcpd.conf:

option netbios-name-servers X.Y.Z.W;

Where X.Y.Z.W is the address of your WINS server.

Here’s my config:
http://i45.tinypic.com/2zr3v5l.png

In the DNS tab, I also added, under “Append these DNS suffixes (in order)” the domain name (from sbm.conf’s "workgroup = " line) and then the DNS Master zone as it’s shown in the Yast configuration for the DNS server that is on the same machine, the latter being different from the former–but does it matter?? In any case, still not working.
I assume when you say “your WINS server” you’re referring to Samba, as I don’t have any WINS server. That’s why I have the same IP address as the Samba machine for it. I assumed setting “wins support = Yes” is what makes Samba into a WINS server, no?

I’m turning pretty desperate, and there’s no telling that going through the trouble of moving to Samba 4 before it’s part of an openSUSE release will actually fix things…

On 1/24/2013 3:26 AM, Prune wrote:
><snip>

I understand that you have never been able to login to a Windows client? Have
you tried using a username with the syntax YOURDOMAIN\usersname. Have you tried
leaving the domain and then rejoining the machine to the domain? Have you tried
joining an XP or Vista machine to the domain? Have you tried changing your
backend to tdbsam? (you can use pdbedit to convert your smbpasswd file to a
tdbsam).

P.V.
“We’re all in this together, I’m pulling for you” Red Green

Brought in a new Windows 7 64-bit machine and that one works… So it seems to be a Windows configuration issue, but what other settings could possibly cause this authentication failure? The new machine is a recent clean install and uses MSE as antivirus, whereas the older workstations use AVG and Ad-Aware. But I doubt the antivirus could cause the difference. And I don’t see any difference in the network configuration of the machines. Any suggestions? I can’t simply replace all Windows clients on our network…

By the way, where exactly in dhcpd.conf do I add the option netbios-name-servers? My dhcpd.conf is generated by the DNS utility in Yast and I don’t want to make it not being able to be handled by that interface, if possible.

Also, thanks for all your help!

On 1/24/2013 8:16 PM, Prune wrote:
>
> Brought in a new Windows 7 64-bit machine and that one works… So it
> seems to be a Windows configuration issue, but what other settings could
> possibly cause this authentication failure? The new machine is a recent
> clean install and uses MSE as antivirus, whereas the older workstations
> use AVG and Ad-Aware. But I doubt the antivirus could cause the
> difference. And I don’t see any difference in the network configuration
> of the machines. Any suggestions? I can’t simply replace all Windows
> clients on our network…
>
> By the way, where exactly in dhcpd.conf do I add the option
> netbios-name-servers? My dhcpd.conf is generated by the DNS utility in
> Yast and I don’t want to make it not being able to be handled by that
> interface, if possible.
>
> Also, thanks for all your help!
>
>
Prune;

Have you tested with the Windows 7 firewall turned off? Many of the third party
internet suites do not play well with with domains without a lot of
configuration. Microsoft Security Essentials with Windows firewall seems to be
easy to configure, and it’s free.

Have you left the domain by changing to some workgroup NOT on your network,
reboot. Now rejoin the domain.

I have the option netbios-name-servers in the subnet declaration of
/etc/dhcpd.conf. AFAIK you could also have it in the common section if all
your subnets use the same WINS. You might want to look at the information in:
/usr/share/doc/packages/dhcp-doc

–
P.V.
“We’re all in this together, I’m pulling for you” Red Green