[Samba] Moving PDC from Fedora to RHEL5 - _net_auth2: creds_server_check failed. Rejecting auth request from client
Paul Furness
p.furness at uk.merce.mee.com
Mon Feb 15 03:22:08 MST 2010
Hi,
Yeah, I don't know why I missed that in going through google - maybe I
was looking for the wrong solution.
I'll try a recompile - although I still don't understand why it doesn't
work with the older versions of windows.
Thanks,
Paul.
Gaiseric Vandal wrote:
> Windows 7 requires Samba 3.3.x or 3.4.x. I know between 3.4.x and
> 3.0.x there are changes in how ldap and the samba group mapping. If
> you don't have group mapping working for some of the key domain groups
> things are not going to work. I have to think there is a whole
> list of other things that could possible break.
>
> If you really have to run samba on your RHEL5.x machine you may want
> to recompile a newer version of samba.
>
>
> On 02/12/2010 01:34 PM, Paul Furness wrote:
>> Hi,
>>
>> I'm in need of some help with moving a Samba PDC with LDAP backend
>> from Fedora linux to RHEL. The DNS is also running on that server and
>> needs to be moved also. The DNS and LDAP migration was simple enough.
>> The new server works just fine when using it's own DNS and LDAP for
>> authentication, and all the users appear to be intact after the LDAP
>> import. nss_ldap is working just fine. The new server has the same
>> hostname and IP address as the old one (it is, of course, plugged
>> into a physically separate, isolated network with no connection to
>> the outside or the original network).
>>
>> However, when I try to migrate samba, it simply doesn't work the way
>> it apparently should! However I do it, workstations which work
>> perfectly on the old PDC will not authenticate to the new one (I took
>> a Windows XP box from the old network, plugged it into the new net,
>> booted up, tried to login, and it naturally failed).
>>
>> I tried setting the ldap password in samba (smbpasswd -w) and
>> starting up smb. It appears to start up ok, but then won't recognize
>> any workstation trusts (I actually tried a couple of workstations);
>> when I attempt to log in to the workstation, it fails to connect to
>> the DC. /var/log/messages gives me "_net_auth2: creds_server_check
>> failed. Rejecting auth request from client..."
>>
>> So I stopped Samba, removed all the tdb files from /var/cache/samba
>> and /etc/samba. I then copied the tdb files from the running PDC
>> over. Again, Samba seems to run perfectly, stating that it's the
>> login controller etc. But still I cannot log in to the existing
>> domain accounts.
>>
>> I checked the SID is the same on the new server - it is. I checked
>> the PC account still exists by using finger to check for the linux
>> account, and then pdbedit -L to check what samba sees. Again, it all
>> appears fine.
>>
>> It *may* be possible to re-join the domain with the workstation, but
>> I'm fed up with doing that every time I upgrade, and I refuse to
>> accept that it's necessary - the network I'm running has about 100
>> PCs on it, and it takes a long time and causes far too much
>> disruption. Surely it MUST be possibly to get the new samba build to
>> use the authentication information generated by the old one?!
>>
>> I've tried all the different guides I can find, and spent a lot of
>> time googling error messages, but nobody seems to have explained the
>> answer to the problem, although various people seem to have a
>> variation of it, usually caused by trying to migrate Samba from one
>> box to another.
>>
>> I've encountered almost exactly the same set of problems every time
>> I've tried to migrate Samba to a new server - so I freely acknowledge
>> that it may be a simple fundamental thing which I don't understand
>> but should do. But I don't think it's necessarily software version
>> related - I tried moving to a test build using Fedora 12 and got
>> exactly the same problems, and that was using newer versions of most
>> of the packages.
>>
>> I've tried the Samba documentation, google, reading mailing lists,
>> and just good old working it out myself, but it still simply doesn't
>> work.
>>
>> So please, is there someone who can give me a clear and concise
>> answer - why is it so hard to do this? Surely all the data is stored
>> in the LDAP database, which is perfectly fine. So why won't Samba
>> authenticate the trusts?
>>
>>
>> Version info:
>>
>> Working PDC:
>> Fedora 10, kernel 2.6.27
>> Samba 3.2.15, smbldap-tools 0.9.5
>> openldap 2.4.12
>>
>> New PDC (not working):
>> RHEL 5.4, kernel 2.6.18
>> Samba 3.0.33, smbldap-tools 0.9.4
>> openldap 2.3.43
>>
>>
>> The workstations I tried connecting with were Windows XP (sp3) and
>> Windows 7 (just didn't even bother with Vista). The Windows 7 was
>> failing on the "working" PDC - would join the domain ok but then not
>> be able to get trust after reboot. This is why I started trying this
>> migration in the first place.
>>
>> On the new PDC, the Win7 workstation does exactly what it did before
>> - seems to join domain ok, then trust fails.
>>
>> Any ideas at all would be appreciated.
>>
>> Thanks,
>>
>> Paul.
>>
>>
>>
>>
>
--
*Paul Furness BEng(Hons) MBCS*
/Systems Manager/
*MERCE UK*
20, Frederick Sanger Road
The Surrey Research Park
Guildford, Surrey GU2 7YD
/UK Registered Branch BR 003158/
*DDI Telephone: +44 1483 885826*
Tel: +44 1483 885800 Fax: +44 1483 579107
More information about the samba
mailing list