[Samba] Moving PDC from Fedora to RHEL5 - _net_auth2: creds_server_check failed. Rejecting auth request from client
Paul Furness
p.furness at uk.merce.mee.com
Fri Feb 12 11:34:36 MST 2010
Hi,
I'm in need of some help with moving a Samba PDC with LDAP backend from
Fedora linux to RHEL. The DNS is also running on that server and needs
to be moved also. The DNS and LDAP migration was simple enough. The new
server works just fine when using it's own DNS and LDAP for
authentication, and all the users appear to be intact after the LDAP
import. nss_ldap is working just fine. The new server has the same
hostname and IP address as the old one (it is, of course, plugged into a
physically separate, isolated network with no connection to the outside
or the original network).
However, when I try to migrate samba, it simply doesn't work the way it
apparently should! However I do it, workstations which work perfectly on
the old PDC will not authenticate to the new one (I took a Windows XP
box from the old network, plugged it into the new net, booted up, tried
to login, and it naturally failed).
I tried setting the ldap password in samba (smbpasswd -w) and starting
up smb. It appears to start up ok, but then won't recognize any
workstation trusts (I actually tried a couple of workstations); when I
attempt to log in to the workstation, it fails to connect to the DC.
/var/log/messages gives me "_net_auth2: creds_server_check failed.
Rejecting auth request from client..."
So I stopped Samba, removed all the tdb files from /var/cache/samba and
/etc/samba. I then copied the tdb files from the running PDC over.
Again, Samba seems to run perfectly, stating that it's the login
controller etc. But still I cannot log in to the existing domain accounts.
I checked the SID is the same on the new server - it is. I checked the
PC account still exists by using finger to check for the linux account,
and then pdbedit -L to check what samba sees. Again, it all appears fine.
It *may* be possible to re-join the domain with the workstation, but I'm
fed up with doing that every time I upgrade, and I refuse to accept that
it's necessary - the network I'm running has about 100 PCs on it, and it
takes a long time and causes far too much disruption. Surely it MUST be
possibly to get the new samba build to use the authentication
information generated by the old one?!
I've tried all the different guides I can find, and spent a lot of time
googling error messages, but nobody seems to have explained the answer
to the problem, although various people seem to have a variation of it,
usually caused by trying to migrate Samba from one box to another.
I've encountered almost exactly the same set of problems every time I've
tried to migrate Samba to a new server - so I freely acknowledge that it
may be a simple fundamental thing which I don't understand but should
do. But I don't think it's necessarily software version related - I
tried moving to a test build using Fedora 12 and got exactly the same
problems, and that was using newer versions of most of the packages.
I've tried the Samba documentation, google, reading mailing lists, and
just good old working it out myself, but it still simply doesn't work.
So please, is there someone who can give me a clear and concise answer -
why is it so hard to do this? Surely all the data is stored in the LDAP
database, which is perfectly fine. So why won't Samba authenticate the
trusts?
Version info:
Working PDC:
Fedora 10, kernel 2.6.27
Samba 3.2.15, smbldap-tools 0.9.5
openldap 2.4.12
New PDC (not working):
RHEL 5.4, kernel 2.6.18
Samba 3.0.33, smbldap-tools 0.9.4
openldap 2.3.43
The workstations I tried connecting with were Windows XP (sp3) and
Windows 7 (just didn't even bother with Vista). The Windows 7 was
failing on the "working" PDC - would join the domain ok but then not be
able to get trust after reboot. This is why I started trying this
migration in the first place.
On the new PDC, the Win7 workstation does exactly what it did before -
seems to join domain ok, then trust fails.
Any ideas at all would be appreciated.
Thanks,
Paul.
--
*Paul Furness BEng(Hons) MBCS*
/Systems Manager/
*MERCE UK*
20, Frederick Sanger Road
The Surrey Research Park
Guildford, Surrey GU2 7YD
/UK Registered Branch BR 003158/
*DDI Telephone: +44 1483 885826*
Tel: +44 1483 885800 Fax: +44 1483 579107
More information about the samba
mailing list