[Samba] net rpc testjoin error

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Dec 23 09:04:40 MST 2011

Not sure if this is related, but I had problems joining or rejoining XP 
or Win 7 machines to the domain after upgrading to Samba 3.5.x.  I have 
a Samba PDC and Samba BDC with an LDAP backend.

The backend unix account would already exist.  i would have to delete 
the samba machine account and then precreate (or preserve) only 2 samba 
LDAP  attributes.

Delete the machine account

     #smbpasswd -x -m machinename

The use an LDAP editor (e.g. apache directory studio), remove any 
remaining samba attributes (if necessary)  except  sambaPrimaryGroupSID 
and  sambaAccountFlags.   If necessary, create sambaPrimaryGroupSID and  

         type:      sambaPrimaryGroupSID
         value:    S-1-5-21-XXX-YYY-ZZZZ-515
         type:      sambaAccountFlags
         value:     [W         ]

At this point I could rejoin the domain.  You can also use "smbpasswd -a 
-m machinename" to test this.    After joining the machine to the 
domain, verify the LDAP settings for sambaAccountFlags.  Smbpasswd 
command may have set the sambaAccountFlags to be U (for user) not W (for 
workstation.)  Make sure that Pbdedit and LDAP editors may report the  
same thing for sambaAccountFlags.

On 12/23/2011 03:08 AM, L.P.H. van Belle wrote:
> please update, in wheezy samba is upgraded to 3.6.1
> and test again.
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: jheim at math.wisc.edu
>> [mailto:samba-bounces at lists.samba.org] Namens John G. Heim
>> Verzonden: 2011-12-22 20:28
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] net rpc testjoin error
>> I have a PDC running debian wheezy with samba 3.5.11 . If I
>> run 'net rpc
>> testjoin' on my PDC, it does this:
>> # net rpc testjoin
>> get_schannel_session_key: could not fetch trust account
>> password for domain
>> 'UW-MATH'
>> net_rpc_join_ok: failed to get schannel session key from
>> server HUBBLE for
>> Join to domain 'UW-MATH' is not valid:
>> The backend is openldap and I can find the name of my PDC in the ldap
>> database. It appears to have a valid machine trust account
>> based on the ldap
>> record.
>> The main problem I'm having is that after I joined a Win7
>> machine to the
>> domain, I can't log in as a domain user. It says "The trust
>> relationship
>> between this workstation and the domain failed."
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list