[Samba] Machine trust relationship failed

Mr. Demeanour mrdemeanour at jackpot.uk.net
Tue Nov 21 17:49:08 GMT 2006

Mr. Demeanour wrote:
> Hi,
> I am having trouble joining a Win2K machine to a Samba domain.
> The Win2K machine is patched and up-to-date.

Hmmm - nobody wants to bite on this. I guess my post didn't include the
kind of clues that might cause knowledgeable people's ears to prick up.

Some people seem to post their entire smb.conf, but I've refrained from
doing that because I doubt it would enlighten anyone. I wonder what kind
of diagnostic output might generate a response?

Part of the point of posting a question to a list like this, IME, is
that composing the post entails answering a bunch of questions whose
answers might actually clear up the problem; but in this case that
didn't happen, unfortunately. I've tried two different Win2K Pro
machines, and both of them joined the domain happily enough - and
neither will allow me to add domain users.

I believe the process of joining a domain involves the joined
workstation negotiating and setting a new password on the machine trust
account; I've seen no evidence of this having happened, and this is why
I think that despite appearances, the join has really failed.

Can anyone suggest a procedure for debugging this problem?

In the absence of suggestions here, I think I may have to build a new
PDC machine from scratch, using a passwd backend, and try to migrate to
LDAP from that position - assuming I can get that working. But since I
can't see what's wrong with my existing Samba setup, I can't see why
that procedure should work; it feels rather like pushing buttons
randomly, not at all like a proper diagnostic procedure.
> The Samba machine is running Debian Sarge and Samba 3.0.14a-Debian.
> The passdb-backend is OpenLDAP, but I don't think this is relevant; I
> have tried with tdbsam as well, and had exactly the same results.
> I have been mainly following this guide: 
> http://www.nomis52.net/?section=docs&page=samldap
> The PDC appears to be working; testparm doesn't complain, and says: 
> Server role: ROLE_DOMAIN_PDC
> I have defined Samba 3 Group Mappings using phpldapadmin for admins, 
> groups and guests. These are mapped to the well-known RIDs for the 
> respective Domain * Windows groups. # getent group admins:x:2000: 
> users:x:2001: guests:x:2002: ...
> I have defined a samba Administrator user, with a uidNumber of 0 and
> a gidNumber of 2000.
> From the Win2K system I can map share to a service on the PDC, after 
> giving the Administrator userid and password. However I cannot browse
>  the server.
> I have a "add machine script" defined as follows in smb.conf: add
> machine script = /usr/sbin/smbldap-useradd -w "%u"
> This appears to work; after attempting to add the machine to the
> domain using Network Identification/Properties (and giving the
> credentials for the Administrator user), the new machine appears in
> the proper place in the LDAP directory, with a sambaNTPassword (but
> no userPassword).
> After rebooting the Win2K machine and logging in with local admin 
> credentials, I try to grant login privileges to a domain-user using
> the "Users and Passwords" Control panel applet. This fails with the
> message "The trust relationship between this workstation and the
> primary domain failed."
> The following lines appear in /var/log/samba/[machine-name].log: 
> [2006/11/20 13:50:15, 2] smbd/uid.c:change_to_user(202) 
> change_to_user: SMB user  (unix user nobody, vuid 101) not permitted
> access to share IPC$. [2006/11/20 13:50:15, 0]
> smbd/service.c:make_connection_snum(577) Can't become connected user!
> I don't know what these messages mean.
> The Win2K machine has Local Security Settings as follows: Digitally
> sign server communication (always): Disabled Digitally encrypt or
> sign secure channel data (always): Disabled
> The PDC has these settings in smb.conf: client schannel = Auto server
> schannel = Auto
> I suspect that the machine has not been *properly* joined to the
> domain. I have read a few (old) threads in various archives that seem
> to relate to this problem, but they all end in either the policy
> settings I've just mentioned, or they tail away with no resolution.
> Can anyone advise?
> Regards, Jack.

More information about the samba mailing list