[Samba] PDC: "The trust relationship ... failed" from the beginning
Moray Henderson
Moray.Henderson at ict-software.org
Mon Jan 28 03:29:12 MST 2013
> From: Eimac Dude [mailto:eimacdude at aol.com]
> Sent: 24 January 2013 19:43
> To: samba at lists.samba.org
> Subject: [Samba] PDC: "The trust relationship ... failed" from the
> beginning
>
> Hi,
>
> When I try a net logon from Windows 7 64-bit Business (don't have any
> other Windows machines), I get "The trust relationship between this
> workstation and the primary domain failed". The discussion I've found
> around the Web regarding this error message seems to be only in the
> context of the 30 day password expiry issue, where the solution is to
> simply rejoin the domain. Unfortunately, I have this problem *always*,
> and rejoining does not help. I have not been able to do a net login at
> all, from the first time I tried. At the same time, there's no problem
> accessing the Samba shares by going to \\SMB in Windows Explorer and
> logging in with the same user accounts.
>
> # smbstatus
> Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64
>
> The LAN is on 172.16. and the Samba machine is also the LAN's DNS
> server; not using LDAP.
>
> We had been using Samba for simple file sharing, with no domain
> functionality enabled, and with the Windows machines on the network
> configured as members of the workgroup. We recently decided to set
> Samba as a PDC and support roaming profiles, and have been blocked by
> this trust error.
>
> I made some changes to smb.conf, which can be seen here:
> http://pastebin.com/raw.php?i=qKvQq3W2
>
> The profiles directory was chmod 2775 and its group changed from root
> to users. The netlogon directory is 755. Initially, in smb.conf the
> name resolve order was starting with dns, but Windows 7 kept giving me
> an error about not finding the domain when I tried to change from
> workgroup to domain, so I took that out and set wins as the first item
> in the list.
>
> # cat /etc/samba/smbusers:
> root = administrator Administrator admin nobody = guest pcguest
> smbguest
>
> I added root to smbpasswd. I also executed the following:
>
> net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d
> net groupmap add ntgroup="Domain Users" unixgroup=users rid=513 type=d
> net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514
> type=d net rpc rights grant -U root "URBASE\Domain Admins"
> SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
> SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
>
> The Windows machines are configured as specified on
> wiki.samba.org/index.php/Windows7 (that is, I only edited
> DomainCompatibilityMode and DNSNameResolutionRequired). Changing from
> workgroup to domain and rebooting, then trying to log in with one of
> the SMB users gives me the "The trust relationship between this
> workstation and the primary domain failed" error. I can only log into
> the local machine account. If, instead of changing from workgroup to
> domain directly, I try to use the network ID wizard, it eventually
> leads to the same error when it tries to set up the domain user.
> Looking at /etc/samba/smbpasswd, the machine account shows up there so
> the add machine script seems to be working; however,
>
> # tail /var/log/samba/log.smbd
> [2013/01/23 14:26:16.350332, 0]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client BRIX machine account BRIX$
> [2013/01/23 14:26:16.352562, 0]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client BRIX machine account BRIX$
> [2013/01/23 14:37:22.518159, 0]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client BRIX machine account BRIX$
>
> Why is it not working? I don't know how to troubleshoot this. I've
> tried removing the machine from the domain then taking it out of
> smbpasswd and the Unix accounts, and then rejoining, but same errors. I
> tried manually adding the IP address in the Windows machine's WINS
> setting, but it doesn't make a difference.
>
> One thing I'm unsure of is the DNS suffixes thing which seems to be
> mentioned on some sites in association with this. In the Windows
> clients, under "Append these DNS suffixes (in order)" we've normally
> had as suffix the DNS master zone for the LAN, which is different from
> the domain name in smb.conf -- if that matters at all given joining the
> domain should be using WINS instead of DNS for name resolution. I tried
> adding the domain in there anyway, but it doesn't help.
>
> Can anyone kindly help? I've asked on a couple of other forums but to
> no avail...
>
>
Are the clocks synchronised between the 2 machines? According to
http://community.spiceworks.com/topic/170347-trust-relationship-between-this
-workstation-and-primary-domain-failed
clock discrepancy can be one cause of this problem.
Moray.
"To err is human; to purr, feline."
More information about the samba
mailing list