[Samba] Moving PDC from Fedora to RHEL5 - _net_auth2: creds_server_check failed. Rejecting auth request from client

Paul Furness p.furness at uk.merce.mee.com
Fri Feb 12 11:34:36 MST 2010 

Hi,

I'm in need of some help with moving a Samba PDC with LDAP backend from 
Fedora linux to RHEL. The DNS is also running on that server and needs 
to be moved also. The DNS and LDAP migration was simple enough. The new 
server works just fine when using it's own DNS and LDAP for 
authentication, and all the users appear to be intact after the LDAP 
import. nss_ldap is working just fine. The new server has the same 
hostname and IP address as the old one (it is, of course, plugged into a 
physically separate, isolated network with no connection to the outside 
or the original network).

However, when I try to migrate samba, it simply doesn't work the way it 
apparently should! However I do it, workstations which work perfectly on 
the old PDC will not authenticate to the new one (I took a Windows XP 
box from the old network, plugged it into the new net, booted up, tried 
to login, and it naturally failed).

I tried setting the ldap password in samba (smbpasswd -w) and starting 
up smb. It appears to start up ok, but then won't recognize any 
workstation trusts (I actually tried a couple of workstations); when I 
attempt to log in to the workstation, it fails to connect to the DC. 
/var/log/messages gives me "_net_auth2: creds_server_check failed. 
Rejecting auth request from client..."

So I stopped Samba, removed all the tdb files from /var/cache/samba and 
/etc/samba. I then copied the tdb files from the running PDC over. 
Again, Samba seems to run perfectly, stating that it's the login 
controller etc. But still I cannot log in to the existing domain accounts.

I checked the SID is the same on the new server - it is. I checked the 
PC account still exists by using finger to check for the linux account, 
and then pdbedit -L to check what samba sees. Again, it all appears fine.

It *may* be possible to re-join the domain with the workstation, but I'm 
fed up with doing that every time I upgrade, and I refuse to accept that 
it's necessary - the network I'm running has about 100 PCs on it, and it 
takes a long time and causes far too much disruption. Surely it MUST be 
possibly to get the new samba build to use the authentication 
information generated by the old one?!

I've tried all the different guides I can find, and spent a lot of time 
googling error messages, but nobody seems to have explained the answer 
to the problem, although various people seem to have a variation of it, 
usually caused by trying to migrate Samba from one box to another.

I've encountered almost exactly the same set of problems every time I've 
tried to migrate Samba to a new server - so I freely acknowledge that it 
may be a simple fundamental thing which I don't understand but should 
do. But I don't think it's necessarily software version related - I 
tried moving to a test build using Fedora 12 and got exactly the same 
problems, and that was using newer versions of most of the packages.

I've tried the Samba documentation, google, reading mailing lists, and 
just good old working it out myself, but it still simply doesn't work.

So please, is there someone who can give me a clear and concise answer - 
why is it so hard to do this? Surely all the data is stored in the LDAP 
database, which is perfectly fine. So why won't Samba authenticate the 
trusts?


Version info:

Working PDC:
Fedora 10, kernel 2.6.27
Samba 3.2.15, smbldap-tools 0.9.5
openldap 2.4.12

New PDC (not working):
RHEL 5.4, kernel 2.6.18
Samba 3.0.33, smbldap-tools 0.9.4
openldap 2.3.43


The workstations I tried connecting with were Windows XP (sp3) and 
Windows 7 (just didn't even bother with Vista). The Windows 7 was 
failing on the "working" PDC - would join the domain ok but then not be 
able to get trust after reboot. This is why I started trying this 
migration in the first place.

On the new PDC, the Win7 workstation does exactly what it did before - 
seems to join domain ok, then trust fails.

Any ideas at all would be appreciated.

Thanks,

Paul.




-- 
*Paul Furness BEng(Hons) MBCS*
/Systems Manager/

*MERCE UK*
20, Frederick Sanger Road
The Surrey Research Park
Guildford, Surrey GU2 7YD
/UK Registered Branch BR 003158/
*DDI Telephone: +44 1483 885826*
Tel: +44 1483 885800   Fax: +44 1483 579107

More information about the samba mailing list