[Samba] Win7 - Samba 3.5.4 trust relationship

Ivan H Dichev idichev at csc.com
Fri Jul 1 03:03:43 MDT 2011


Hello all,

I guess that everyone knows the message "the trust relation between this 
workstation and the primary domain failed" when joining Win7 into samba 
domain. Unfortunately, the same problem appeared few hours/days after the 
machine was successfully joined in the domain(with reg keys from 
https://wiki.samba.org/index.php/Windows7) and user able to use it for 
awhile. Then at random intervals, when the user tries to login again, he 
sees the "trust" message and has to type his password 3-5 or more times 
before successful login.

The setup includes PDC and BDC, both running on RHEL (5.5 and 5.6)64bit 
with samba 3.5.4-0.70.el5_6.1 + LDAP(fedora-ds) for user and computer 
authentication.20xWin 7 machines and 500xWinXP(xp has no problems).

I've read about similar symptoms when Win7 tries to change its machine 
password on every 30 days. Therefore some additional regs were added:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"DisablePasswordChange"=dword:00000001
"MaximumPasswordAge"=dword:1000000
and this didn't help. I've compared the machine password values on both 
LDAP servers - they are same and synchronization is working fine.

In the wild, some people report that this issue is fixed when the 
"lmcompatibilitylevel" is limited to LM and NTLM authentication(NTLMv2 if 
negotiated), but this couldn't help too.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"lmcompatibilitylevel"=dword:00000001
As I understood from `man 5 smb.conf`, the default Samba behaviour when 
nothing is specified for "client ntlmv2 auth", "client plaintext auth", 
"lanman auth", "client lanman auth" and "ntlm auth", is to enable only 
NTLMv1. Is that correct, because all Win7s can authenticate even with 
NTLMv2 enabled only ?!(it is not password cache ... i tried with new 
username which was never used on the workstation before).

My log options in smb.conf are: log level = 0 auth:10 lanman:10

Here is the log when the user is experiencing the issue:
[2011/06/30 14:31:17.726884,  5] auth/auth_util.c:211(make_user_info_map)
  Mapping user []\[] from workstation [TESTMACHINE]
[2011/06/30 14:31:17.726952,  5] auth/auth_util.c:232(make_user_info_map)
  Mapped domain from [] to [DOMAIN] for user [] from workstation 
[TESTMACHINE]
[2011/06/30 14:31:17.726978,  5] auth/auth_util.c:122(make_user_info)
  attempting to make a user_info for  ()
[2011/06/30 14:31:17.727000,  5] auth/auth_util.c:132(make_user_info)
  making strings for 's user_info struct
[2011/06/30 14:31:17.727021,  5] auth/auth_util.c:164(make_user_info)
  making blobs for 's user_info struct
[2011/06/30 14:31:17.727042, 10] auth/auth_util.c:182(make_user_info)
  made an encrypted user_info for  ()
[2011/06/30 14:31:17.727065,  3] auth/auth.c:216(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user 
[]\[]@[TESTMACHINE] with the new password interface
[2011/06/30 14:31:17.727090,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[]@[TESTMACHINE]
[2011/06/30 14:31:17.727111, 10] auth/auth.c:228(check_ntlm_password)
  check_ntlm_password: auth_context challenge created by random
[2011/06/30 14:31:17.727132, 10] auth/auth.c:230(check_ntlm_password)
  challenge is:
[2011/06/30 14:31:17.767852,  3] auth/auth.c:265(check_ntlm_password)
  check_ntlm_password: guest authentication for user [] succeeded
[2011/06/30 14:31:17.767920,  5] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  guest authentication for user [] -> [] -> [nobody] 
succeeded
[2011/06/30 14:31:17.767943,  5] auth/auth_util.c:2119(free_user_info)
  attempting to free (and zero) a user_info structure
[2011/06/30 14:31:17.767965, 10] auth/auth_util.c:2123(free_user_info)
  structure was created for
[2011/06/30 14:31:17.772407, 10] auth/auth_util.c:753(create_local_token)
  Could not convert SID S-1-1-0 to gid, ignoring it
[2011/06/30 14:31:17.773632, 10] auth/auth_util.c:753(create_local_token)
  Could not convert SID S-1-5-2 to gid, ignoring it
[2011/06/30 14:31:17.774822, 10] auth/auth_util.c:753(create_local_token)
  Could not convert SID S-1-5-32-546 to gid, ignoring it
[2011/06/30 14:31:17.774906, 10] 
auth/token_util.c:531(debug_nt_user_token)
  NT user token of user S-1-5-21-3341649654-3636416974-85384702-501
  contains 5 SIDs
  SID[  0]: S-1-5-21-3341649654-3636416974-85384702-501
  SID[  1]: S-1-1-0
  SID[  2]: S-1-5-2
  SID[  3]: S-1-5-32-546
  SID[  4]: S-1-22-1-99
  SE_PRIV  0x0 0x0 0x0 0x0
[2011/06/30 14:31:17.774996, 10] 
auth/token_util.c:551(debug_unix_user_token)
  UNIX token of user 99
  Primary group is 99 and contains 0 supplementary groups
[2011/06/30 14:31:17.785859,  0] 
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting 
auth request from client TESTMACHINE machine account TESTMACHINE$
[2011/06/30 14:31:25.321099,  5] 
auth/auth.c:481(make_auth_context_subsystem)
  Making default auth method list for DC, security=user, encrypt passwords 
= yes

After a few tries we successfully login:
[2011/06/30 14:31:25.322605, 10] auth/auth_util.c:182(make_user_info)
  made an encrypted user_info for TESTMACHINE$ (TESTMACHINE$)
[2011/06/30 14:31:25.322626,  3] auth/auth.c:216(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user 
[DOMAIN]\[TESTMACHINE$]@[TESTMACHINE] with the new password interface
[2011/06/30 14:31:25.322651,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is: 
[DOMAIN]\[TESTMACHINE$]@[TESTMACHINE]
[2011/06/30 14:31:25.322672, 10] auth/auth.c:228(check_ntlm_password)
  check_ntlm_password: auth_context challenge created by NTLMSSP callback 
(NTLM2)
[2011/06/30 14:31:25.322693, 10] auth/auth.c:230(check_ntlm_password)
  challenge is:
[2011/06/30 14:31:25.322717, 10] auth/auth.c:256(check_ntlm_password)
  check_ntlm_password: guest had nothing to say
[2011/06/30 14:31:25.327291,  4] auth/auth_sam.c:180(sam_account_ok)
  sam_account_ok: Checking SMB password for user TESTMACHINE$
[2011/06/30 14:31:25.327439,  5] auth/auth_sam.c:162(logon_hours_ok)
  logon_hours_ok: user TESTMACHINE$ allowed to logon at this time (Thu Jun 
30 11:31:25 2011
  )
[2011/06/30 14:31:25.382399,  5] 
auth/auth_util.c:649(make_server_info_sam)
  make_server_info_sam: made server info for user TESTMACHINE$ -> 
TESTMACHINE$
[2011/06/30 14:31:25.382496,  3] auth/auth.c:265(check_ntlm_password)
  check_ntlm_password: sam authentication for user [TESTMACHINE$] 
succeeded
[2011/06/30 14:31:25.382541,  5] auth/auth.c:291(check_ntlm_password)
  check_ntlm_password:  PAM Account for user [TESTMACHINE$] succeeded
[2011/06/30 14:31:25.382572,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [TESTMACHINE$] -> 
[TESTMACHINE$] -> [TESTMACHINE$] succeeded
[2011/06/30 14:31:25.382643,  5] auth/auth_util.c:2119(free_user_info)
  attempting to free (and zero) a user_info structure
[2011/06/30 14:31:25.382665, 10] auth/auth_util.c:2123(free_user_info)
  structure was created for TESTMACHINE$
[2011/06/30 14:31:25.386736, 10] auth/auth_util.c:753(create_local_token)
  Could not convert SID S-1-1-0 to gid, ignoring it
[2011/06/30 14:31:25.387737, 10] auth/auth_util.c:753(create_local_token)
  Could not convert SID S-1-5-2 to gid, ignoring it
[2011/06/30 14:31:25.388766, 10] auth/auth_util.c:753(create_local_token)
  Could not convert SID S-1-5-11 to gid, ignoring it
[2011/06/30 14:31:25.388853, 10] 
auth/token_util.c:531(debug_nt_user_token)
  NT user token of user S-1-5-21-3341649654-3636416974-85384702-67110721
  contains 7 SIDs
  SID[  0]: S-1-5-21-3341649654-3636416974-85384702-67110721
  SID[  1]: S-1-5-21-3341649654-3636416974-85384702-515
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-22-1-7016
  SID[  6]: S-1-22-2-515
  SE_PRIV  0x0 0x0 0x0 0x0
[2011/06/30 14:31:25.388963, 10] 
auth/token_util.c:551(debug_unix_user_token)
  UNIX token of user 7016
  Primary group is 515 and contains 1 supplementary groups
  Group[  0]: 515
[2011/06/30 14:31:25.428362,  5] 
auth/auth.c:481(make_auth_context_subsystem)
  Making default auth method list for DC, security=user, encrypt passwords 
= yes
[2011/06/30 14:31:25.428435,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match guest
[2011/06/30 14:31:25.428461,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method guest has a valid init
[2011/06/30 14:31:25.428484,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam
[2011/06/30 14:31:25.428506,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method sam has a valid init
[2011/06/30 14:31:25.428527,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match 
winbind:trustdomain
[2011/06/30 14:31:25.428549,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match trustdomain
[2011/06/30 14:31:25.428581,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method trustdomain has a valid init
[2011/06/30 14:31:25.428602,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method winbind has a valid init
[2011/06/30 14:31:25.428624,  5] auth/auth.c:97(get_ntlm_challenge)
  auth_get_challenge: module guest did not want to specify a challenge
[2011/06/30 14:31:25.428645,  5] auth/auth.c:97(get_ntlm_challenge)
  auth_get_challenge: module sam did not want to specify a challenge
[2011/06/30 14:31:25.428666,  5] auth/auth.c:97(get_ntlm_challenge)
  auth_get_challenge: module winbind did not want to specify a challenge
[2011/06/30 14:31:25.428694,  5] auth/auth.c:132(get_ntlm_challenge)
  auth_context challenge created by random
[2011/06/30 14:31:25.428717,  5] auth/auth.c:133(get_ntlm_challenge)
  challenge is:
[2011/06/30 14:31:25.429072,  5] auth/auth_util.c:211(make_user_info_map)
  Mapping user [DOMAIN]\[dichev] from workstation [TESTMACHINE]
[2011/06/30 14:31:25.429097,  5] auth/auth_util.c:122(make_user_info)
  attempting to make a user_info for dichev (dichev)
[2011/06/30 14:31:25.429119,  5] auth/auth_util.c:132(make_user_info)
  making strings for dichev's user_info struct
[2011/06/30 14:31:25.429141,  5] auth/auth_util.c:164(make_user_info)
  making blobs for dichev's user_info struct
[2011/06/30 14:31:25.429162, 10] auth/auth_util.c:182(make_user_info)
  made an encrypted user_info for dichev (dichev)
[2011/06/30 14:31:25.429184,  3] auth/auth.c:216(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user 
[DOMAIN]\[dichev]@[TESTMACHINE] with the new password interface
[2011/06/30 14:31:25.429209,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[dichev]@[TESTMACHINE]
[2011/06/30 14:31:25.429265, 10] auth/auth.c:228(check_ntlm_password)
  check_ntlm_password: auth_context challenge created by random
[2011/06/30 14:31:25.429287, 10] auth/auth.c:230(check_ntlm_password)
  challenge is:
[2011/06/30 14:31:25.429314, 10] auth/auth.c:256(check_ntlm_password)
  check_ntlm_password: guest had nothing to say
[2011/06/30 14:31:25.431988,  4] auth/auth_sam.c:180(sam_account_ok)
  sam_account_ok: Checking SMB password for user dichev
[2011/06/30 14:31:25.432048,  5] auth/auth_sam.c:162(logon_hours_ok)
  logon_hours_ok: user dichev allowed to logon at this time (Thu Jun 30 
11:31:25 2011)
[2011/06/30 14:31:25.438531,  5] 
auth/auth_util.c:649(make_server_info_sam)
  make_server_info_sam: made server info for user dichev -> dichev
[2011/06/30 14:31:25.438636,  3] auth/auth.c:265(check_ntlm_password)
  check_ntlm_password: sam authentication for user [dichev] succeeded
[2011/06/30 14:31:25.438679,  5] auth/auth.c:291(check_ntlm_password)
  check_ntlm_password:  PAM Account for user [dichev] succeeded
[2011/06/30 14:31:25.438701,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [dichev] -> [dichev] -> 
[dichev] succeeded
[2011/06/30 14:31:25.438726,  5] auth/auth_util.c:2119(free_user_info)
  attempting to free (and zero) a user_info structure
[2011/06/30 14:31:25.438747, 10] auth/auth_util.c:2123(free_user_info)



It seems that in the first(the bad) request the machine does not report 
the domain name and its machine name ... don't know why.


All ideas appreciated !!

tks

Ivan Dichev


More information about the samba mailing list