[Samba] Windows 7 + Samba domain issues

[Moray Henderson]

Alex Ferrara wrote:
>Hi all,
>
>Earlier I emailed the list on some issues I was having with Windows 7,
and
>one of those issues was the trust relationship breaking down after one
>month. I think I have some more light to shed on this topic.
>
>First, some environmental facts
>
>I am running Ubuntu Karmic 9.10 with Samba 3.4.0-3ubuntu5.1
>I have installed the latest LDAP schema into OpenLDAP 2.4.18-0ubuntu1
>I have a working LDAP directory with users and machine trust accounts.
>This is continuing to work flawlessly with XP clients.
>I have applied the two registry hacks into my Windows 7 workstations to
>enable legacy domains, and to turn off the dns resolution requirement.
>
>When I join the domain, everything happens as advertised, and I do get
the
>error message from Windows 7 about DNS that I read on wiki.samba.org
can
>be safely ignored. Immediately after joining the domain, and after the
>mandatory reboot, I can log in as advertised. However, after a period
of
>time (not sure how long), the Windows 7 clients start using their
cached
>credentials, and no longer communicate properly with the Samba PDC.
After
>a period of about 1 month, the clients no longer use their cached
>credentials, as they probably expire, and then I can no longer log in,
>with the message that "The trust relationship between this workstation
and
>the primary domain failed."
>
>After some digging, I noticed that the problem in the machines log file
>was that the machine trust account could not be found.
>
>[2009/12/07 19:33:13,  3] auth/auth.c:222(check_ntlm_password)
>  check_ntlm_password:  Checking password for unmapped user []\[]@[AC-
>1391] with the new password interface
>[2009/12/07 19:33:13,  3] auth/auth.c:225(check_ntlm_password)
>  check_ntlm_password:  mapped user is: [DOMAIN]\[]@[AC-1391]
>[2009/12/07 19:33:13,  3] auth/auth.c:271(check_ntlm_password)
>  check_ntlm_password: guest authentication for user [] succeeded
>[2009/12/07 19:33:13,  0] passdb/pdb_get_set.c:210(pdb_get_group_sid)
>  pdb_get_group_sid: Failed to find Unix account for ac-1391$
>[2009/12/07 19:33:13,  0]
>rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
>  _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting
>auth request from client AC-1391 machine account AC-1391$
>[2009/12/07 19:33:13,  0] passdb/pdb_get_set.c:210(pdb_get_group_sid)
>  pdb_get_group_sid: Failed to find Unix account for ac-1391$
>[2009/12/07 19:33:13,  0]
>rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
>  _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting
>auth request from client AC-1391 machine account AC-1391$
>[2009/12/07 19:33:26,  0] lib/util_sock.c:537(read_socket_with_timeout)
>[2009/12/07 19:33:26,  0] lib/util_sock.c:1468(get_peer_addr_internal)
>  getpeername failed. Error was Transport endpoint is not connected
>  read_socket_with_timeout: client 0.0.0.0 read error = Connection
reset
>by peer.
>
>The interesting line there is "Failed to find Unix account for
ac-1391$".
>This implies that the account is missing, but when I look at the LDAP
>directory with my browser, it is there. Now it gets interesting... At
the
>time I am trying to log in, I get the following in /var/log/syslog
>
>Dec  7 19:46:27 server slapd[2514]: conn=184 op=2 do_search: invalid dn
>(sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local)
>
>Invalid dn indeed. sambaDomainName=DOMAIN,dc=domain,dc=local exists,
but
>sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local does not.
>
>Does anyone know why Samba would be performing this as a lookup? I have
>seen other people with these symptoms, but I have not been able to find
an
>answer.
>
>aF

I asked about similar error logs a while ago, using tdb files and Samba
3.3.9 (http://lists.samba.org/archive/samba/2009-November/152126.html).
Have not yet seen Win 7 being rejected after a month, but it's been less
than a month since I started testing it.  I would also like to know
what's happening.


Moray.
"To err is human.  To purr, feline"