[Samba] The trust relationship between this workstation and the primary domain failed. (After SAMBA upgrade)

Oliver R. samba at solar-imperium.com
Sun Mar 11 07:57:45 MDT 2012


Hi folks

I am writing to this list because Google was unable to provide me with a 
solution for my problem
(neither did the samba list archives ; as far as I can see).

I know that the topic "The trust relationship between this workstation 
and the primary domain failed."
is not unknown and a lot of people are suffering from it but I have the 
feeling that my problem is
different. I am not using SAMBA as DC and try to join Windows 7 to it; 
but let me explain.

I had a working configuration which looked as follows:

- Windows 2008 R2 SP1 Domain Controller (Forest functional Level 2008 
R2; so highest possible)
    (DNS Server, Global Catalog etc. It is only this ONE DC)

- Windows 7 Workstation as a domain member of this domain (Works great; 
no Problems)

- SAMBA 3.x running on Fedora 13 (+ updates so not the newest 
SAMBA3.5/3.6 releases but somwehere
    in the 3.1 - 3.3 releases)

The SAMBA Box was joined to the domain and some directories on the 
Fedora box were shared.
I was able to access them from my Windows 7 Box without any problems. So 
SAMBA was a perfectc
ADS member.

Everything was running fine until ..................... I decided to 
upgrade (reinstall) my box with Fedora 16

The Fedora Box now has the newest SAMBA release 
(samba-3.6.3-78.fc16.i686) installed.
I reconfigured SAMBA by

- re-created the same users with the same uid/gid on the box
- configuring DNS as it was before
- copied back /etc/krb5.conf
- copied back /etc/samba/smb.conf and /etc/samba/smbusers
   (Basically I used the new smb.conf and replaced the necessary 
information.
    I have an include file ads.conf for my ADS configuration which I 
inject into smb.conf.
    So no typos or mssing something)
- Did a: kinit Administrator at MYDOMAIN.COM  (successful)
- Did a: net ads join -U Administrator (successful)
- Did a: net ads testjoin (-> Join is OK)
- Did a: smbclient \\\\mydc\\myshare -U Administrator (could access the 
share)
    (OK. smbclient does not use the local Samba-Daemon but directly 
connects to the DC.
     So not really a test)

So everyting was as it was before with the execption that when I try to 
access the SAMBA box
from my Windows 7 Box I get:

- The trust relationship between this workstation and the primary domain 
failed.
- /var/log/samba/log.win7box shows error messages:

[2012/03/11 13:33:07.281548,  0] 
rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
   cli_rpc_pipe_open_schannel: failed to get schannel session key from 
server MYDC.MYDOMAIN.COM for domain MYDOMAIN.
[2012/03/11 13:33:07.281867,  0] 
auth/auth_domain.c:193(connect_to_domain_password_server)
   connect_to_domain_password_server: unable to open the domain client 
session to machine MYDC.MYDOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED.
[2012/03/11 13:33:07.284289,  0] 
rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
   cli_rpc_pipe_open_schannel: failed to get schannel session key from 
server MYDC.MYDOMAIN.COM for domain MYDOMAIN.
[2012/03/11 13:33:07.284665,  0] 
auth/auth_domain.c:193(connect_to_domain_password_server)
   connect_to_domain_password_server: unable to open the domain client 
session to machine MYDC.MYDOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED.
[2012/03/11 13:33:07.285166,  0] 
auth/auth_domain.c:292(domain_client_validate)
   domain_client_validate: Domain password server not available.

When I do a Wireshark trace on the Linux system I see the SAMBA Daemon 
communicates with
my domain Controller (MYDC) and gets some errors (when accessing the 
SAMBA Box from Win 7).

No.     Time        Source                Destination           Protocol 
Info
    9245 45.548203   192.168.1.131         192.168.1.3           
SMB      Negotiate Protocol Request
    9247 45.584079   192.168.1.3           192.168.1.131         
SMB      Negotiate Protocol Response
    9248 45.690020   192.168.1.131         192.168.1.3           
SMB      Session Setup AndX Request, NTLMSSP_NEGOTIATE
    9249 45.690874   192.168.1.3           192.168.1.131         
SMB      Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: 
STATUS_MORE_PROCESSING_REQUIRED
    9250 45.691254   192.168.1.131         192.168.1.3           
SMB      Session Setup AndX Request, NTLMSSP_AUTH, User: MYDOMAIN\Snoopy
    9257 45.760270   192.168.1.3           192.168.1.4           
SMB      Negotiate Protocol Request
    9258 45.760989   192.168.1.4           192.168.1.3           
SMB      Negotiate Protocol Response
    9260 45.761266   192.168.1.3           192.168.1.4           
SMB      Session Setup AndX Request, User: anonymous
    9261 45.761586   192.168.1.4           192.168.1.3           
SMB      Session Setup AndX Response
    9262 45.763317   192.168.1.3           192.168.1.4           
SMB      Tree Connect AndX Request, Path: \\MYDC.MYDOMAIN.COM\IPC$
    9264 45.763683   192.168.1.4           192.168.1.3           
SMB      Tree Connect AndX Response
    9265 45.763883   192.168.1.3           192.168.1.4           
SMB      NT Create AndX Request, Path: \lsarpc
    9266 45.764134   192.168.1.4           192.168.1.3           
SMB      NT Create AndX Response, FID: 0x0000, Error: STATUS_ACCESS_DENIED
    9268 45.764254   192.168.1.3           192.168.1.4           
SMB      Tree Disconnect Request
    9269 45.764481   192.168.1.4           192.168.1.3           
SMB      Tree Disconnect Response
    9278 45.775245   192.168.1.3           192.168.1.4           
SMB      Negotiate Protocol Request
    9279 45.775662   192.168.1.4           192.168.1.3           
SMB      Negotiate Protocol Response
    9281 45.775863   192.168.1.3           192.168.1.4           
SMB      Session Setup AndX Request, User: anonymous
    9282 45.776115   192.168.1.4           192.168.1.3           
SMB      Session Setup AndX Response
    9283 45.776662   192.168.1.3           192.168.1.4           
SMB      Tree Connect AndX Request, Path: \\MYDC.MYDOMAIN.COM\IPC$
    9284 45.776921   192.168.1.4           192.168.1.3           
SMB      Tree Connect AndX Response
    9285 45.777358   192.168.1.3           192.168.1.4           
SMB      NT Create AndX Request, Path: \netlogon
    9286 45.777620   192.168.1.4           192.168.1.3           
SMB      NT Create AndX Response, FID: 0x0000, Error: STATUS_ACCESS_DENIED
    9287 45.780066   192.168.1.3           192.168.1.4           
SMB      Tree Disconnect Request
    9288 45.780314   192.168.1.4           192.168.1.3           
SMB      Tree Disconnect Response
    9295 45.782302   192.168.1.3           192.168.1.4           
SMB      Negotiate Protocol Request
    9296 45.782708   192.168.1.4           192.168.1.3           
SMB      Negotiate Protocol Response
    9298 45.783294   192.168.1.3           192.168.1.4           
SMB      Session Setup AndX Request, User: anonymous
    9299 45.783603   192.168.1.4           192.168.1.3           
SMB      Session Setup AndX Response
    9300 45.784193   192.168.1.3           192.168.1.4           
SMB      Tree Connect AndX Request, Path: \\MYDC.MYDOMAIN.COM\IPC$
    9301 45.784452   192.168.1.4           192.168.1.3           
SMB      Tree Connect AndX Response
    9302 45.784908   192.168.1.3           192.168.1.4           
SMB      NT Create AndX Request, Path: \netlogon
    9303 45.785159   192.168.1.4           192.168.1.3           
SMB      NT Create AndX Response, FID: 0x0000, Error: STATUS_ACCESS_DENIED
    9304 45.787376   192.168.1.3           192.168.1.4           
SMB      Tree Disconnect Request
    9305 45.787612   192.168.1.4           192.168.1.3           
SMB      Tree Disconnect Response
    9312 45.789331   192.168.1.3           192.168.1.4           
SMB      Negotiate Protocol Request
    9313 45.789745   192.168.1.4           192.168.1.3           
SMB      Negotiate Protocol Response
    9315 45.790343   192.168.1.3           192.168.1.4           
SMB      Session Setup AndX Request, User: anonymous
    9316 45.790639   192.168.1.4           192.168.1.3           
SMB      Session Setup AndX Response
    9317 45.790780   192.168.1.3           192.168.1.4           
SMB      Tree Connect AndX Request, Path: \\MYDC.MYDOMAIN.COM\IPC$
    9318 45.791088   192.168.1.4           192.168.1.3           
SMB      Tree Connect AndX Response
    9319 45.791217   192.168.1.3           192.168.1.4           
SMB      NT Create AndX Request, Path: \netlogon
    9320 45.791736   192.168.1.4           192.168.1.3           
SMB      NT Create AndX Response, FID: 0x0000, Error: STATUS_ACCESS_DENIED
    9321 45.792332   192.168.1.3           192.168.1.4           
SMB      Tree Disconnect Request
    9322 45.792591   192.168.1.4           192.168.1.3           
SMB      Tree Disconnect Response
    9326 45.793451   192.168.1.3           192.168.1.131         
SMB      Session Setup AndX Response, Error: 
STATUS_TRUSTED_RELATIONSHIP_FAILURE
    9327 45.794087   192.168.1.131         192.168.1.3           
SMB      Session Setup AndX Request, NTLMSSP_NEGOTIATE
    9329 45.794328   192.168.1.3           192.168.1.131         
SMB      Session Setup AndX Response, NTLMSSP_CHALLENGE, Error: 
STATUS_MORE_PROCESSING_REQUIRED
    9330 45.794581   192.168.1.131         192.168.1.3           
SMB      Session Setup AndX Request, NTLMSSP_AUTH, User: MYDOMAIN\Snoopy

I have no idea why my configuration is not working anymore on the new 
SAMBA version. There must have been
some changes in a later SAMBA release which prevents proper 
communication between the SAMBA box and my Windows 2008 R2 DC.
I did not do anything to my Windows Domain and everyting was working 
fine before the Fedora upgrade.

Any ideas how to solve this ?

Regards,
Oliver










More information about the samba mailing list