[Samba] Trust relationship fails after classicupgrade

Rowland Penny rowlandpenny at googlemail.com
Mon Apr 13 09:33:55 MDT 2015 

On 13/04/15 16:13, Timo Altun wrote:
> Thanks Louis, it seems the DNS updates were working even with the 
> nsswitch.conf I had, but only for machines that I manually joined to 
> the new AD Domain.
>
> I checked the ones I didn't join manually and they aren't proper 
> members of the domain anymore. If I try to logon with anything but the 
> last (cached) user account on a Win7 machine I get: "The trust 
> relationship between this workstation and the primary domain failed".
>
> I am unsure what has changed. The classicupgrade worked flawless 
> regarding the windows machines' domain membership before. I redid it 
> today, to no avail. Got a new backup from LDAP from the still 
> productive Samba 3.4.3 PDC (running on Debian Lenny) and redid the 
> classicupgrade again...still the trust relationship fails.
>
> Is there an explanation for this? I tested with a WinXP machine as 
> well and get the same error.
> Both the Win7 and WinXP are proper members of the NT-4 domain. I made 
> a backup of the domain from the Debian Lenny, did the classicupgrade 
> from the backup (on the AD DC to be, a Debian Jessie), switched the IP 
> adresses of the Win7 and WinXP to the testing environment and they 
> produce the beforementioned error. Manually joining to them new domain 
> is no problem.
>
> The thing that surprises me most, is that it worked before with this 
> testing setup.
>
> Rowland, regarding the naming conventions for NETBIOS-Domainname and 
> Kerberos Realm, we will rename them if we have to manually join the 
> machines to the domain. If it is possible to circumvent that, we'll go 
> with the dot in the NETBIOS name. We recognize it's not ideal, but 
> renaming would mean rejoining about a hundred machines and 
> reestablishing their locally saved user profiles.
>

I understand where you are coming from, it is a lot of work to go around 
and rejoin such a lot of machines, but I just thought that I should 
point out the possible pitfalls of using a workgroup name with a dot in 
it. I personally would get about 10-20 machines connected to the AD 
domain and see how you go, if you have no problems, then great, connect 
the rest and let us know that it does work. However if it doesn't work 
and you get problems, you will have less machines to sort out and again, 
please let us know this and what problems you have had, I will then add 
something to the wiki.

Rowland

More information about the samba mailing list