[Samba] Moving PDC from Fedora to RHEL5 - _net_auth2: creds_server_check failed. Rejecting auth request from client

Paul Furness p.furness at uk.merce.mee.com
Mon Feb 15 03:22:08 MST 2010 

Hi,

Yeah, I don't know why I missed that in going through google - maybe I 
was looking for the wrong solution.

I'll try a recompile - although I still don't understand why it doesn't 
work with the older versions of windows.

Thanks,

Paul.


Gaiseric Vandal wrote:
> Windows 7 requires Samba 3.3.x or 3.4.x.  I know between 3.4.x and 
> 3.0.x there are changes in how ldap and the samba group mapping.  If 
> you don't have group mapping working for some of the key domain groups 
> things are not going to work.       I have to think there is a whole 
> list of other things that could possible break.
>
> If you really have to run samba on your RHEL5.x machine you may want 
> to recompile a newer version of samba.
>
>
> On 02/12/2010 01:34 PM, Paul Furness wrote:
>> Hi,
>>
>> I'm in need of some help with moving a Samba PDC with LDAP backend 
>> from Fedora linux to RHEL. The DNS is also running on that server and 
>> needs to be moved also. The DNS and LDAP migration was simple enough. 
>> The new server works just fine when using it's own DNS and LDAP for 
>> authentication, and all the users appear to be intact after the LDAP 
>> import. nss_ldap is working just fine. The new server has the same 
>> hostname and IP address as the old one (it is, of course, plugged 
>> into a physically separate, isolated network with no connection to 
>> the outside or the original network).
>>
>> However, when I try to migrate samba, it simply doesn't work the way 
>> it apparently should! However I do it, workstations which work 
>> perfectly on the old PDC will not authenticate to the new one (I took 
>> a Windows XP box from the old network, plugged it into the new net, 
>> booted up, tried to login, and it naturally failed).
>>
>> I tried setting the ldap password in samba (smbpasswd -w) and 
>> starting up smb. It appears to start up ok, but then won't recognize 
>> any workstation trusts (I actually tried a couple of workstations); 
>> when I attempt to log in to the workstation, it fails to connect to 
>> the DC. /var/log/messages gives me "_net_auth2: creds_server_check 
>> failed. Rejecting auth request from client..."
>>
>> So I stopped Samba, removed all the tdb files from /var/cache/samba 
>> and /etc/samba. I then copied the tdb files from the running PDC 
>> over. Again, Samba seems to run perfectly, stating that it's the 
>> login controller etc. But still I cannot log in to the existing 
>> domain accounts.
>>
>> I checked the SID is the same on the new server - it is. I checked 
>> the PC account still exists by using finger to check for the linux 
>> account, and then pdbedit -L to check what samba sees. Again, it all 
>> appears fine.
>>
>> It *may* be possible to re-join the domain with the workstation, but 
>> I'm fed up with doing that every time I upgrade, and I refuse to 
>> accept that it's necessary - the network I'm running has about 100 
>> PCs on it, and it takes a long time and causes far too much 
>> disruption. Surely it MUST be possibly to get the new samba build to 
>> use the authentication information generated by the old one?!
>>
>> I've tried all the different guides I can find, and spent a lot of 
>> time googling error messages, but nobody seems to have explained the 
>> answer to the problem, although various people seem to have a 
>> variation of it, usually caused by trying to migrate Samba from one 
>> box to another.
>>
>> I've encountered almost exactly the same set of problems every time 
>> I've tried to migrate Samba to a new server - so I freely acknowledge 
>> that it may be a simple fundamental thing which I don't understand 
>> but should do. But I don't think it's necessarily software version 
>> related - I tried moving to a test build using Fedora 12 and got 
>> exactly the same problems, and that was using newer versions of most 
>> of the packages.
>>
>> I've tried the Samba documentation, google, reading mailing lists, 
>> and just good old working it out myself, but it still simply doesn't 
>> work.
>>
>> So please, is there someone who can give me a clear and concise 
>> answer - why is it so hard to do this? Surely all the data is stored 
>> in the LDAP database, which is perfectly fine. So why won't Samba 
>> authenticate the trusts?
>>
>>
>> Version info:
>>
>> Working PDC:
>> Fedora 10, kernel 2.6.27
>> Samba 3.2.15, smbldap-tools 0.9.5
>> openldap 2.4.12
>>
>> New PDC (not working):
>> RHEL 5.4, kernel 2.6.18
>> Samba 3.0.33, smbldap-tools 0.9.4
>> openldap 2.3.43
>>
>>
>> The workstations I tried connecting with were Windows XP (sp3) and 
>> Windows 7 (just didn't even bother with Vista). The Windows 7 was 
>> failing on the "working" PDC - would join the domain ok but then not 
>> be able to get trust after reboot. This is why I started trying this 
>> migration in the first place.
>>
>> On the new PDC, the Win7 workstation does exactly what it did before 
>> - seems to join domain ok, then trust fails.
>>
>> Any ideas at all would be appreciated.
>>
>> Thanks,
>>
>> Paul.
>>
>>
>>
>>
>

-- 
*Paul Furness BEng(Hons) MBCS*
/Systems Manager/

*MERCE UK*
20, Frederick Sanger Road
The Surrey Research Park
Guildford, Surrey GU2 7YD
/UK Registered Branch BR 003158/
*DDI Telephone: +44 1483 885826*
Tel: +44 1483 885800   Fax: +44 1483 579107

More information about the samba mailing list