[Samba] PDC: "The trust relationship ... failed" from the beginning

Eimac Dude eimacdude at aol.com
Thu Jan 24 18:57:24 MST 2013


Brought in a new Windows 7 64-bit machine and that one works... So it 
seems to be a Windows configuration issue, but what other settings could 
possibly cause this authentication failure? The new machine is a recent 
clean install and uses MSE as antivirus, whereas the older workstations 
use AVG and Ad-Aware. But I doubt the antivirus could cause the 
difference. And I don't see any difference in the network configuration 
of the machines. Any suggestions? I can't simply replace all Windows 
clients on our network...

On 1/24/2013 11:43 AM, Eimac Dude wrote:
> Hi,
>
> When I try a net logon from Windows 7 64-bit Business (don't have any 
> other Windows machines), I get "The trust relationship between this 
> workstation and the primary domain failed". The discussion I've found 
> around the Web regarding this error message seems to be only in the 
> context of the 30 day password expiry issue, where the solution is to 
> simply rejoin the domain. Unfortunately, I have this problem *always*, 
> and rejoining does not help. I have not been able to do a net login at 
> all, from the first time I tried. At the same time, there's no problem 
> accessing the Samba shares by going to \\SMB in Windows Explorer and 
> logging in with the same user accounts.
>
> # smbstatus
> Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64
>
> The LAN is on 172.16. and the Samba machine is also the LAN's DNS 
> server; not using LDAP.
>
> We had been using Samba for simple file sharing, with no domain 
> functionality enabled, and with the Windows machines on the network 
> configured as members of the workgroup. We recently decided to set 
> Samba as a PDC and support roaming profiles, and have been blocked by 
> this trust error.
>
> I made some changes to smb.conf, which can be seen here: 
> http://pastebin.com/raw.php?i=qKvQq3W2
>
> The profiles directory was chmod 2775 and its group changed from root 
> to users. The netlogon directory is 755. Initially, in smb.conf the 
> name resolve order was starting with dns, but Windows 7 kept giving me 
> an error about not finding the domain when I tried to change from 
> workgroup to domain, so I took that out and set wins as the first item 
> in the list.
>
> # cat /etc/samba/smbusers:
> root = administrator Administrator admin
> nobody = guest pcguest smbguest
>
> I added root to smbpasswd. I also executed the following:
>
> net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d
> net groupmap add ntgroup="Domain Users"  unixgroup=users rid=513 type=d
> net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d
> net rpc rights grant -U root "URBASE\Domain Admins" 
> SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege 
> SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
>
> The Windows machines are configured as specified on 
> wiki.samba.org/index.php/Windows7 (that is, I only edited 
> DomainCompatibilityMode and DNSNameResolutionRequired). Changing from 
> workgroup to domain and rebooting, then trying to log in with one of 
> the SMB users gives me the "The trust relationship between this 
> workstation and the primary domain failed" error. I can only log into 
> the local machine account. If, instead of changing from workgroup to 
> domain directly, I try to use the network ID wizard, it eventually 
> leads to the same error when it tries to set up the domain user. 
> Looking at /etc/samba/smbpasswd, the machine account shows up there so 
> the add machine script seems to be working; however,
>
> # tail /var/log/samba/log.smbd
> [2013/01/23 14:26:16.350332, 0] 
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
> Rejecting auth request from client BRIX machine account BRIX$
> [2013/01/23 14:26:16.352562, 0] 
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
> Rejecting auth request from client BRIX machine account BRIX$
> [2013/01/23 14:37:22.518159, 0] 
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
> Rejecting auth request from client BRIX machine account BRIX$
>
> Why is it not working? I don't know how to troubleshoot this. I've 
> tried removing the machine from the domain then taking it out of 
> smbpasswd and the Unix accounts, and then rejoining, but same errors. 
> I tried manually adding the IP address in the Windows machine's WINS 
> setting, but it doesn't make a difference.
>
> One thing I'm unsure of is the DNS suffixes thing which seems to be 
> mentioned on some sites in association with this. In the Windows 
> clients, under "Append these DNS suffixes (in order)" we've normally 
> had as suffix the DNS master zone for the LAN, which is different from 
> the domain name in smb.conf -- if that matters at all given joining 
> the domain should be using WINS instead of DNS for name resolution. I 
> tried adding the domain in there anyway, but it doesn't help.
>
> Can anyone kindly help? I've asked on a couple of other forums but to 
> no avail...
>



More information about the samba mailing list