[Samba] Trust relationship fails after classicupgrade

L.P.H. van Belle belle at bazuin.nl
Tue Apr 14 00:59:47 MDT 2015

Hai Timo, 

To overcome the same problem, im doing the following. 

The old samba 3.4-3.6 based on ldap ( same here debian lenny/squeeze ), im keeping intact.
The new samba 4 AD domain, has (policy based) drive mappings to the old domain. 
Im having 2 domains now, a bit more work, but zero down time.

The new domain has a new domainname, new sid, all is new created, because i just dont want old
references in my new domain. This also save you from "strange" problemens in samba 4. 
And after 8 Years, a new clean domain can be nice.. 

I've exported all my users (without password) and imported them in samba 4.
First time at login, users must set the same password as on the old server.
and now you can map a user to OLDDOMAIN\%username% in the policies to get the shares on the old server.

And now i can change slowly my computers, so everyone is getting a new clean setup.
server and computer profiles, all nicely and clean.. yes more work now, but in the long run, less.
when all users, groups computers, policies etc are done, then im migriting the servers.
in the end, im only migrating 2 server, my file server, and my database server.
these i cant reinstall, all others are clean installed. 

This is just a suggest, and yes for now more work, but it will pay back in the long run.



>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: maandag 13 april 2015 17:34
>Aan: sambalist
>Onderwerp: Re: [Samba] Trust relationship fails after classicupgrade
>On 13/04/15 16:13, Timo Altun wrote:
>> Thanks Louis, it seems the DNS updates were working even with the 
>> nsswitch.conf I had, but only for machines that I manually joined to 
>> the new AD Domain.
>> I checked the ones I didn't join manually and they aren't proper 
>> members of the domain anymore. If I try to logon with 
>anything but the 
>> last (cached) user account on a Win7 machine I get: "The trust 
>> relationship between this workstation and the primary domain failed".
>> I am unsure what has changed. The classicupgrade worked flawless 
>> regarding the windows machines' domain membership before. I redid it 
>> today, to no avail. Got a new backup from LDAP from the still 
>> productive Samba 3.4.3 PDC (running on Debian Lenny) and redid the 
>> classicupgrade again...still the trust relationship fails.
>> Is there an explanation for this? I tested with a WinXP machine as 
>> well and get the same error.
>> Both the Win7 and WinXP are proper members of the NT-4 
>domain. I made 
>> a backup of the domain from the Debian Lenny, did the classicupgrade 
>> from the backup (on the AD DC to be, a Debian Jessie), 
>switched the IP 
>> adresses of the Win7 and WinXP to the testing environment and they 
>> produce the beforementioned error. Manually joining to them 
>new domain 
>> is no problem.
>> The thing that surprises me most, is that it worked before with this 
>> testing setup.
>> Rowland, regarding the naming conventions for NETBIOS-Domainname and 
>> Kerberos Realm, we will rename them if we have to manually join the 
>> machines to the domain. If it is possible to circumvent 
>that, we'll go 
>> with the dot in the NETBIOS name. We recognize it's not ideal, but 
>> renaming would mean rejoining about a hundred machines and 
>> reestablishing their locally saved user profiles.
>I understand where you are coming from, it is a lot of work to 
>go around 
>and rejoin such a lot of machines, but I just thought that I should 
>point out the possible pitfalls of using a workgroup name with 
>a dot in 
>it. I personally would get about 10-20 machines connected to the AD 
>domain and see how you go, if you have no problems, then 
>great, connect 
>the rest and let us know that it does work. However if it doesn't work 
>and you get problems, you will have less machines to sort out 
>and again, 
>please let us know this and what problems you have had, I will 
>then add 
>something to the wiki.
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list