[Samba] Help - Cannot join Windows 7 client to Samba PDC
Richard Basch
basch at MIT.EDU
Thu Jan 14 02:27:08 MST 2010
I have been going through all the Wikis and various Google searches to try
to solve my problem, all to no avail.
I can mount a Samba share, but whenever I try to login using a domain
account, I receive an error about "The trust relationship between this
workstation and the primary domain failed."
What I have done so far, all to no avail.
- Upgraded from Samba 3.4.2 to Samba 3.4.4 (under OpenSUSE 11.2)
- Edited the registry settings on my Windows 7 client
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
(I also tried reducing the security requirements for signing & encryption,
but have read this is not required with current versions of Samba.)
(And, I am running Windows 7 Professional on my client.)
"testparm -v" indicates my smb.conf is valid, and I am able to mount shares,
which is a positive indication the OpenLDAP integration is working. I am
running OpenLDAP 2.4.15 or higher on all my LDAP servers (I think they are
all 2.4.19 - 2.4.21).
DNS is static, with none of the normal ADS entries. Only the DHCP server is
allowed to modify DNS (and only the forward map allows updates, since DHCP
updates of the reverse in-addr.arpa maps were problematic). To assist with
finding the domain controller, I added the following to
C:\Windows\System32\Drivers\etc\lmhosts:
192.168.15.2 tardis #PRE #DOM:N2HA
(Thus my attempts to join the domain appear successful, with the documented
warnings about the domain suffix. Unfortunately, appearances are deceiving
when I actually try to login using a domain account.)
Attached are entries from my smbd.log and C:\Windows\debug\NetSetup.log and
smb.conf.
Any assistance or guidance would be greatly appreciated.
log.smbd
========
[2010/01/14 03:31:38, 0]
rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client BAST machine account BAST$
[2010/01/14 03:31:38, 0]
rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client BAST machine account BAST$
[2010/01/14 03:31:48, 0] lib/util_sock.c:539(read_fd_with_timeout)
[2010/01/14 03:31:48, 0] lib/util_sock.c:1491(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
[2010/01/14 03:33:17, 0]
rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client BAST machine account BAST$
[2010/01/14 03:33:17, 0]
rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client BAST machine account BAST$
[2010/01/14 03:33:30, 0] lib/util_sock.c:539(read_fd_with_timeout)
[2010/01/14 03:33:30, 0] lib/util_sock.c:1491(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
[2010/01/14 03:34:18, 0] lib/util_sock.c:539(read_fd_with_timeout)
[2010/01/14 03:34:18, 0] lib/util_sock.c:1491(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
C:\Windows\debug\NetSetup.log
=============================
01/13/2010 23:36:18:337 NetpJoinDomain: status of connecting to dc
'\\TARDIS': 0x0
01/13/2010 23:36:18:337 NetpProvisionComputerAccount:
01/13/2010 23:36:18:337 lpDomain: N2HA
01/13/2010 23:36:18:337 lpMachineName: BAST
01/13/2010 23:36:18:337 lpMachineAccountOU: (NULL)
01/13/2010 23:36:18:337 lpDcName: TARDIS
01/13/2010 23:36:18:337 lpDnsHostName: (NULL)
01/13/2010 23:36:18:337 lpMachinePassword: (null)
01/13/2010 23:36:18:337 lpAccount: N2HA\ntadmin
01/13/2010 23:36:18:337 lpPassword: (non-null)
01/13/2010 23:36:18:337 dwJoinOptions: 0x25
01/13/2010 23:36:18:337 dwOptions: 0x40000003
01/13/2010 23:36:18:352 NetpLdapBind: ldap_bind failed on TARDIS: 49:
Invalid Credentials
01/13/2010 23:36:18:426 NetpGetLsaPrimaryDomain: DNS Domain policy not
supported, falling back to Primary Domain
01/13/2010 23:36:18:430 NetpGetLsaPrimaryDomain: status: 0x0
01/13/2010 23:36:18:432 NetpCreateComputerObjectInDs: DC passed '\\TARDIS'
doesn't have writable DS 0x101
01/13/2010 23:36:18:432 NetpProvisionComputerAccount: LDAP creation failed:
0x32
01/13/2010 23:36:18:432 NetpJoinDomainOnDs: Function exits with status of:
0x32
01/13/2010 23:36:18:434 NetpJoinDomainOnDs: status of disconnecting from
'\\TARDIS': 0x0
01/13/2010 23:36:18:434 NetpDoDomainJoin: status: 0x32
01/13/2010 23:36:18:450
-----------------------------------------------------------------
01/13/2010 23:36:18:450 NetpDoDomainJoin
01/13/2010 23:36:18:450 NetpMachineValidToJoin: 'BAST'
01/13/2010 23:36:18:450 OS Version: 6.1
01/13/2010 23:36:18:450 Build number: 7600
(7600.win7_rtm.090713-1255)
01/13/2010 23:36:18:451 SKU: Windows 7 Professional
01/13/2010 23:36:18:451 NetpDomainJoinLicensingCheck: ulLicenseValue=1,
Status: 0x0
01/13/2010 23:36:18:452 NetpGetLsaPrimaryDomain: status: 0x0
01/13/2010 23:36:18:453 NetpMachineValidToJoin: status: 0x0
01/13/2010 23:36:18:453 NetpJoinDomain
01/13/2010 23:36:18:453 Machine: BAST
01/13/2010 23:36:18:453 Domain: N2HA
01/13/2010 23:36:18:453 MachineAccountOU: (NULL)
01/13/2010 23:36:18:453 Account: N2HA\ntadmin
01/13/2010 23:36:18:453 Options: 0x27
01/13/2010 23:36:18:453 NetpLoadParameters: loading registry parameters...
01/13/2010 23:36:18:453 NetpLoadParameters: status:
DNSNameResolutionRequired set to '0'
01/13/2010 23:36:18:453 NetpLoadParameters: status: DomainCompatibilityMode
set to '1'
01/13/2010 23:36:18:453 NetpLoadParameters: status: 0x0
01/13/2010 23:36:18:453 NetpValidateName: checking to see if 'N2HA' is valid
as type 3 name
01/13/2010 23:36:18:554 NetpCheckDomainNameIsValid [ Exists ] for 'N2HA'
returned 0x0
01/13/2010 23:36:18:554 NetpValidateName: name 'N2HA' is valid for type 3
01/13/2010 23:36:18:554 NetpDsGetDcName: trying to find DC in domain 'N2HA',
flags: 0x1020
01/13/2010 23:36:18:755 NetpLoadParameters: loading registry parameters...
01/13/2010 23:36:18:755 NetpLoadParameters: status:
DNSNameResolutionRequired set to '0'
01/13/2010 23:36:18:755 NetpLoadParameters: status: DomainCompatibilityMode
set to '1'
01/13/2010 23:36:18:755 NetpLoadParameters: status: 0x0
01/13/2010 23:36:18:755 NetpDsGetDcName: found DC '\\TARDIS' in the
specified domain
01/13/2010 23:36:18:755 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
01/13/2010 23:36:18:756 NetpJoinDomain: status of connecting to dc
'\\TARDIS': 0x0
01/13/2010 23:36:18:756 NetpProvisionComputerAccount:
01/13/2010 23:36:18:756 lpDomain: N2HA
01/13/2010 23:36:18:756 lpMachineName: BAST
01/13/2010 23:36:18:756 lpMachineAccountOU: (NULL)
01/13/2010 23:36:18:756 lpDcName: TARDIS
01/13/2010 23:36:18:756 lpDnsHostName: (NULL)
01/13/2010 23:36:18:756 lpMachinePassword: (null)
01/13/2010 23:36:18:756 lpAccount: N2HA\ntadmin
01/13/2010 23:36:18:756 lpPassword: (non-null)
01/13/2010 23:36:18:756 dwJoinOptions: 0x27
01/13/2010 23:36:18:756 dwOptions: 0x40000003
01/13/2010 23:36:18:764 NetpLdapBind: ldap_bind failed on TARDIS: 49:
Invalid Credentials
01/13/2010 23:36:18:773 NetpGetLsaPrimaryDomain: DNS Domain policy not
supported, falling back to Primary Domain
01/13/2010 23:36:18:776 NetpGetLsaPrimaryDomain: status: 0x0
01/13/2010 23:36:18:779 NetpCreateComputerObjectInDs: DC passed '\\TARDIS'
doesn't have writable DS 0x101
01/13/2010 23:36:18:779 NetpProvisionComputerAccount: LDAP creation failed:
0x32
01/13/2010 23:36:18:779 NetpProvisionComputerAccount: Retrying downlevel per
options
01/13/2010 23:36:18:881 NetpManageMachineAccountWithSid: NetUserAdd on
'TARDIS' for 'BAST$' failed: 0x8b0
01/13/2010 23:36:19:287 NetpManageMachineAccountWithSid: status of
attempting to set password on 'TARDIS' for 'BAST$': 0x0
01/13/2010 23:36:19:287 NetpProvisionComputerAccount: retry status of
creating account: 0x0
01/13/2010 23:36:19:287 NetpEncodeProvisioningBlob: Encoding provisioning
data
01/13/2010 23:36:19:287 NetpInitBlobWin7: Constructing blob...
01/13/2010 23:36:19:287 Blob version: 1
smb.conf
========
[global]
workgroup = N2HA
realm = INTERNAL.BRIGHT-PROSPECTS.COM
security = user
map to guest = Bad User
usershare allow guests = Yes
server string = %h (Samba %v)
hosts allow = 192.168.0.0/16
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
smb ports = 445 139
;os level = 65
local master = yes
domain master = yes
preferred master = yes
domain logons = yes
winbind use default domain = yes
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
name resolve order = wins lmhosts bcast
wins support = yes
dns proxy = no
ea support = yes
enable asu support = yes
time server = yes
deadtime = 10
max log size = 4096
hide unreadable = yes
hide dot files = no
template shell = /bin/false
veto oplock files = /*.pst/*.nsf/*.doc/*.xls/*.mdb/
client lanman auth = no
client ntlmv2 auth = yes
client plaintext auth = no
encrypt passwords = yes
lanman auth = no
ntlm auth = yes
null passwords = yes
server signing = auto
server schannel = auto
passdb backend = ldapsam:ldaps://ldap.internal.bright-prospects.com/
obey pam restrictions = no
ldap ssl = no
ldap admin dn =
"uid=ntadmin,ou=System,ou=User,dc=bright-prospects,dc=co
m"
ldap suffix = dc=bright-prospects,dc=com
ldap machine suffix = sambaDomainName=N2HA,ou=Network
ldap user suffix = ou=People,ou=User
ldap group suffix = ou=Group
ldap idmap suffix = ou=IdMap,ou=Network
ldap passwd sync = yes
ldap delete dn = no
add user script = /home/admin/bin/smbldap-useradd -m %u
delete user script = /home/admin/bin/smbldap-userdel %u
add machine script = /home/admin/bin/smbldap-useradd -w %u
add group script = /home/admin/bin/smbldap-groupadd -p %g
#delete group script = /home/admin/bin/smbldap-groupdel %g
add user to group script = /home/admin/bin/smbldap-groupmod -m %u %g
delete user from group script = /home/admin/bin/smbldap-groupmod -x
%u %
g
set primary group script = /home/admin/bin/smbldap-usermod -g %g %u
passwd program = /home/admin/bin/smbldap-passwd %u
vfs objects = extd_audit recycle
recycle: directory_mode = 0770
recycle: keeptree = 1
recycle: touch = 1
recycle: minsize = 1
recycle: maxsize = 5000000
recycle: exclude = *.tmp *.temp ~$* *.obj *.~??
recycle: exclude_dir = /RealTimeBackup
;vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
[homes]
comment = Home Directories
;valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
;
locking = no
hide files = /.*/desktop.ini/thumbs.db/*.bitmap/NTUSER.*/
hide special files = yes
path = /home/%S
[profiles]
comment = Network Profiles Service
;path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
;
hide files = /desktop.ini/thumbs.db/*.bitmap/
guest ok = yes
path = /home/profiles
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
More information about the samba
mailing list