[Samba] Help - Cannot join Windows 7 client to Samba PDC
Dale Schroeder
dale at BriannasSaladDressing.com
Thu Jan 14 14:49:57 MST 2010
Using 3.4.3, I could not establish a machine trust with either Win7 or
XP. After a lot of searching,
I located an old forum entry that said to add the -i switch to the add
machine parameter. After
doing that one change, adding a system to the domain went as expected.
Perhaps, it will work
for you.
I had not previously seen "-i" used in any howto, but it worked as the
writer said it would.
Using your smb.conf entry:
add machine script = /home/admin/bin/smbldap-useradd -i -w '%u'
Dale
On 01/14/2010 3:27 AM, Richard Basch wrote:
> I have been going through all the Wikis and various Google searches to try
> to solve my problem, all to no avail.
>
> I can mount a Samba share, but whenever I try to login using a domain
> account, I receive an error about "The trust relationship between this
> workstation and the primary domain failed."
>
> What I have done so far, all to no avail.
> - Upgraded from Samba 3.4.2 to Samba 3.4.4 (under OpenSUSE 11.2)
> - Edited the registry settings on my Windows 7 client
> HKLM\System\CCS\Services\LanmanWorkstation\Parameters
> DWORD DomainCompatibilityMode = 1
> DWORD DNSNameResolutionRequired = 0
> (I also tried reducing the security requirements for signing& encryption,
> but have read this is not required with current versions of Samba.)
>
> (And, I am running Windows 7 Professional on my client.)
>
> "testparm -v" indicates my smb.conf is valid, and I am able to mount shares,
> which is a positive indication the OpenLDAP integration is working. I am
> running OpenLDAP 2.4.15 or higher on all my LDAP servers (I think they are
> all 2.4.19 - 2.4.21).
>
> DNS is static, with none of the normal ADS entries. Only the DHCP server is
> allowed to modify DNS (and only the forward map allows updates, since DHCP
> updates of the reverse in-addr.arpa maps were problematic). To assist with
> finding the domain controller, I added the following to
> C:\Windows\System32\Drivers\etc\lmhosts:
> 192.168.15.2 tardis #PRE #DOM:N2HA
> (Thus my attempts to join the domain appear successful, with the documented
> warnings about the domain suffix. Unfortunately, appearances are deceiving
> when I actually try to login using a domain account.)
>
> Attached are entries from my smbd.log and C:\Windows\debug\NetSetup.log and
> smb.conf.
>
> Any assistance or guidance would be greatly appreciated.
>
> log.smbd
> ========
> [2010/01/14 03:31:38, 0]
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client BAST machine account BAST$
> [2010/01/14 03:31:38, 0]
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client BAST machine account BAST$
> [2010/01/14 03:31:48, 0] lib/util_sock.c:539(read_fd_with_timeout)
> [2010/01/14 03:31:48, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
> [2010/01/14 03:33:17, 0]
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client BAST machine account BAST$
> [2010/01/14 03:33:17, 0]
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client BAST machine account BAST$
> [2010/01/14 03:33:30, 0] lib/util_sock.c:539(read_fd_with_timeout)
> [2010/01/14 03:33:30, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
> [2010/01/14 03:34:18, 0] lib/util_sock.c:539(read_fd_with_timeout)
> [2010/01/14 03:34:18, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
>
>
> C:\Windows\debug\NetSetup.log
> =============================
> 01/13/2010 23:36:18:337 NetpJoinDomain: status of connecting to dc
> '\\TARDIS': 0x0
> 01/13/2010 23:36:18:337 NetpProvisionComputerAccount:
> 01/13/2010 23:36:18:337 lpDomain: N2HA
> 01/13/2010 23:36:18:337 lpMachineName: BAST
> 01/13/2010 23:36:18:337 lpMachineAccountOU: (NULL)
> 01/13/2010 23:36:18:337 lpDcName: TARDIS
> 01/13/2010 23:36:18:337 lpDnsHostName: (NULL)
> 01/13/2010 23:36:18:337 lpMachinePassword: (null)
> 01/13/2010 23:36:18:337 lpAccount: N2HA\ntadmin
> 01/13/2010 23:36:18:337 lpPassword: (non-null)
> 01/13/2010 23:36:18:337 dwJoinOptions: 0x25
> 01/13/2010 23:36:18:337 dwOptions: 0x40000003
> 01/13/2010 23:36:18:352 NetpLdapBind: ldap_bind failed on TARDIS: 49:
> Invalid Credentials
> 01/13/2010 23:36:18:426 NetpGetLsaPrimaryDomain: DNS Domain policy not
> supported, falling back to Primary Domain
> 01/13/2010 23:36:18:430 NetpGetLsaPrimaryDomain: status: 0x0
> 01/13/2010 23:36:18:432 NetpCreateComputerObjectInDs: DC passed '\\TARDIS'
> doesn't have writable DS 0x101
> 01/13/2010 23:36:18:432 NetpProvisionComputerAccount: LDAP creation failed:
> 0x32
> 01/13/2010 23:36:18:432 NetpJoinDomainOnDs: Function exits with status of:
> 0x32
> 01/13/2010 23:36:18:434 NetpJoinDomainOnDs: status of disconnecting from
> '\\TARDIS': 0x0
> 01/13/2010 23:36:18:434 NetpDoDomainJoin: status: 0x32
> 01/13/2010 23:36:18:450
> -----------------------------------------------------------------
> 01/13/2010 23:36:18:450 NetpDoDomainJoin
> 01/13/2010 23:36:18:450 NetpMachineValidToJoin: 'BAST'
> 01/13/2010 23:36:18:450 OS Version: 6.1
> 01/13/2010 23:36:18:450 Build number: 7600
> (7600.win7_rtm.090713-1255)
> 01/13/2010 23:36:18:451 SKU: Windows 7 Professional
> 01/13/2010 23:36:18:451 NetpDomainJoinLicensingCheck: ulLicenseValue=1,
> Status: 0x0
> 01/13/2010 23:36:18:452 NetpGetLsaPrimaryDomain: status: 0x0
> 01/13/2010 23:36:18:453 NetpMachineValidToJoin: status: 0x0
> 01/13/2010 23:36:18:453 NetpJoinDomain
> 01/13/2010 23:36:18:453 Machine: BAST
> 01/13/2010 23:36:18:453 Domain: N2HA
> 01/13/2010 23:36:18:453 MachineAccountOU: (NULL)
> 01/13/2010 23:36:18:453 Account: N2HA\ntadmin
> 01/13/2010 23:36:18:453 Options: 0x27
> 01/13/2010 23:36:18:453 NetpLoadParameters: loading registry parameters...
> 01/13/2010 23:36:18:453 NetpLoadParameters: status:
> DNSNameResolutionRequired set to '0'
> 01/13/2010 23:36:18:453 NetpLoadParameters: status: DomainCompatibilityMode
> set to '1'
> 01/13/2010 23:36:18:453 NetpLoadParameters: status: 0x0
> 01/13/2010 23:36:18:453 NetpValidateName: checking to see if 'N2HA' is valid
> as type 3 name
> 01/13/2010 23:36:18:554 NetpCheckDomainNameIsValid [ Exists ] for 'N2HA'
> returned 0x0
> 01/13/2010 23:36:18:554 NetpValidateName: name 'N2HA' is valid for type 3
> 01/13/2010 23:36:18:554 NetpDsGetDcName: trying to find DC in domain 'N2HA',
> flags: 0x1020
> 01/13/2010 23:36:18:755 NetpLoadParameters: loading registry parameters...
> 01/13/2010 23:36:18:755 NetpLoadParameters: status:
> DNSNameResolutionRequired set to '0'
> 01/13/2010 23:36:18:755 NetpLoadParameters: status: DomainCompatibilityMode
> set to '1'
> 01/13/2010 23:36:18:755 NetpLoadParameters: status: 0x0
> 01/13/2010 23:36:18:755 NetpDsGetDcName: found DC '\\TARDIS' in the
> specified domain
> 01/13/2010 23:36:18:755 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
> 01/13/2010 23:36:18:756 NetpJoinDomain: status of connecting to dc
> '\\TARDIS': 0x0
> 01/13/2010 23:36:18:756 NetpProvisionComputerAccount:
> 01/13/2010 23:36:18:756 lpDomain: N2HA
> 01/13/2010 23:36:18:756 lpMachineName: BAST
> 01/13/2010 23:36:18:756 lpMachineAccountOU: (NULL)
> 01/13/2010 23:36:18:756 lpDcName: TARDIS
> 01/13/2010 23:36:18:756 lpDnsHostName: (NULL)
> 01/13/2010 23:36:18:756 lpMachinePassword: (null)
> 01/13/2010 23:36:18:756 lpAccount: N2HA\ntadmin
> 01/13/2010 23:36:18:756 lpPassword: (non-null)
> 01/13/2010 23:36:18:756 dwJoinOptions: 0x27
> 01/13/2010 23:36:18:756 dwOptions: 0x40000003
> 01/13/2010 23:36:18:764 NetpLdapBind: ldap_bind failed on TARDIS: 49:
> Invalid Credentials
> 01/13/2010 23:36:18:773 NetpGetLsaPrimaryDomain: DNS Domain policy not
> supported, falling back to Primary Domain
> 01/13/2010 23:36:18:776 NetpGetLsaPrimaryDomain: status: 0x0
> 01/13/2010 23:36:18:779 NetpCreateComputerObjectInDs: DC passed '\\TARDIS'
> doesn't have writable DS 0x101
> 01/13/2010 23:36:18:779 NetpProvisionComputerAccount: LDAP creation failed:
> 0x32
> 01/13/2010 23:36:18:779 NetpProvisionComputerAccount: Retrying downlevel per
> options
> 01/13/2010 23:36:18:881 NetpManageMachineAccountWithSid: NetUserAdd on
> 'TARDIS' for 'BAST$' failed: 0x8b0
> 01/13/2010 23:36:19:287 NetpManageMachineAccountWithSid: status of
> attempting to set password on 'TARDIS' for 'BAST$': 0x0
> 01/13/2010 23:36:19:287 NetpProvisionComputerAccount: retry status of
> creating account: 0x0
> 01/13/2010 23:36:19:287 NetpEncodeProvisioningBlob: Encoding provisioning
> data
> 01/13/2010 23:36:19:287 NetpInitBlobWin7: Constructing blob...
> 01/13/2010 23:36:19:287 Blob version: 1
>
> smb.conf
> ========
> [global]
> workgroup = N2HA
> realm = INTERNAL.BRIGHT-PROSPECTS.COM
> security = user
> map to guest = Bad User
> usershare allow guests = Yes
>
> server string = %h (Samba %v)
> hosts allow = 192.168.0.0/16
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> smb ports = 445 139
> ;os level = 65
> local master = yes
> domain master = yes
> preferred master = yes
> domain logons = yes
> winbind use default domain = yes
>
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options = raw
>
> name resolve order = wins lmhosts bcast
> wins support = yes
> dns proxy = no
> ea support = yes
> enable asu support = yes
> time server = yes
> deadtime = 10
> max log size = 4096
> hide unreadable = yes
> hide dot files = no
> template shell = /bin/false
> veto oplock files = /*.pst/*.nsf/*.doc/*.xls/*.mdb/
>
> client lanman auth = no
> client ntlmv2 auth = yes
> client plaintext auth = no
> encrypt passwords = yes
> lanman auth = no
> ntlm auth = yes
> null passwords = yes
> server signing = auto
> server schannel = auto
>
> passdb backend = ldapsam:ldaps://ldap.internal.bright-prospects.com/
> obey pam restrictions = no
> ldap ssl = no
> ldap admin dn =
> "uid=ntadmin,ou=System,ou=User,dc=bright-prospects,dc=co
> m"
> ldap suffix = dc=bright-prospects,dc=com
> ldap machine suffix = sambaDomainName=N2HA,ou=Network
> ldap user suffix = ou=People,ou=User
> ldap group suffix = ou=Group
> ldap idmap suffix = ou=IdMap,ou=Network
> ldap passwd sync = yes
> ldap delete dn = no
>
> add user script = /home/admin/bin/smbldap-useradd -m %u
> delete user script = /home/admin/bin/smbldap-userdel %u
> add machine script = /home/admin/bin/smbldap-useradd -w %u
> add group script = /home/admin/bin/smbldap-groupadd -p %g
> #delete group script = /home/admin/bin/smbldap-groupdel %g
> add user to group script = /home/admin/bin/smbldap-groupmod -m %u %g
> delete user from group script = /home/admin/bin/smbldap-groupmod -x
> %u %
> g
> set primary group script = /home/admin/bin/smbldap-usermod -g %g %u
> passwd program = /home/admin/bin/smbldap-passwd %u
>
> vfs objects = extd_audit recycle
> recycle: directory_mode = 0770
> recycle: keeptree = 1
> recycle: touch = 1
> recycle: minsize = 1
> recycle: maxsize = 5000000
> recycle: exclude = *.tmp *.temp ~$* *.obj *.~??
> recycle: exclude_dir = /RealTimeBackup
> ;vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
>
> [homes]
> comment = Home Directories
> ;valid users = %S, %D%w%S
> browseable = No
> read only = No
> inherit acls = Yes
> ;
> locking = no
> hide files = /.*/desktop.ini/thumbs.db/*.bitmap/NTUSER.*/
> hide special files = yes
> path = /home/%S
> [profiles]
> comment = Network Profiles Service
> ;path = %H
> read only = No
> store dos attributes = Yes
> create mask = 0600
> directory mask = 0700
> ;
> hide files = /desktop.ini/thumbs.db/*.bitmap/
> guest ok = yes
> path = /home/profiles
> [users]
> comment = All users
> path = /home
> read only = No
> inherit acls = Yes
> veto files = /aquota.user/groups/shares/
> [groups]
> comment = All groups
> path = /home/groups
> read only = No
> inherit acls = Yes
> [printers]
> comment = All Printers
> path = /var/tmp
> printable = Yes
> create mask = 0600
> browseable = No
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @ntadmin root
> force group = ntadmin
> create mask = 0664
> directory mask = 0775
>
>
>
More information about the samba
mailing list