[Samba] Trust relationship fails after classicupgrade

Timo Altun olol13.samba at the-1337.org
Wed Apr 15 03:42:37 MDT 2015

Hey Louis,

thanks for the answer! That sounds like a viable route to go. Of course I'd
prefer doing the classicupgrade and having the trust relationship still
intact. It did work this way at some point during testing, that's why I
find it hard to accept that I have to circumvent the problem like this.
Did somebody else lose trust relationships after classicupgrade and found a
way to restore them? I didn't find much information on this on
Google...only advice is to rejoin the machines to the new domain...I know
that works.

Maybe I still have some errors or missing parameters in my configs on the
AD DC? As always, any hints where this problem might originate from are
highly appreciated!

Next I'll probably try to purge all samba from the AD DC and try again.


workgroup = MAYWEG.NET
netbios name = SERVER06
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind,
ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes

path = /var/lib/samba/sysvol/intranet.mayweg.net/scripts
read only = No

path = /var/lib/samba/sysvol
read only = No

default_realm = INTRANET.MAYWEG.NET
dns_lookup_realm = false
dns_lookup_kdc = true

hosts localhost localhost.localdomain server06.intranet.mayweg.net server06 krb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

domain intranet.mayweg.net

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/private/named.conf";

// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
type master;
file "/etc/bind/db.local";

zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";

zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";

zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";

options {
directory "/var/cache/bind";
dnssec-validation no;
auth-nxdomain no;    # conform to RFC1035
listen-on { any; };
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

dlz "AD DNS Zone" {
    # For BIND 9.9.x
 database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";

On 14 April 2015 at 08:59, L.P.H. van Belle <belle at bazuin.nl> wrote:

> Hai Timo,
> To overcome the same problem, im doing the following.
> The old samba 3.4-3.6 based on ldap ( same here debian lenny/squeeze ), im
> keeping intact.
> The new samba 4 AD domain, has (policy based) drive mappings to the old
> domain.
> Im having 2 domains now, a bit more work, but zero down time.
> The new domain has a new domainname, new sid, all is new created, because
> i just dont want old
> references in my new domain. This also save you from "strange" problemens
> in samba 4.
> And after 8 Years, a new clean domain can be nice..
> I've exported all my users (without password) and imported them in samba 4.
> First time at login, users must set the same password as on the old server.
> and now you can map a user to OLDDOMAIN\%username% in the policies to get
> the shares on the old server.
> And now i can change slowly my computers, so everyone is getting a new
> clean setup.
> server and computer profiles, all nicely and clean.. yes more work now,
> but in the long run, less.
> when all users, groups computers, policies etc are done, then im migriting
> the servers.
> in the end, im only migrating 2 server, my file server, and my database
> server.
> these i cant reinstall, all others are clean installed.
> This is just a suggest, and yes for now more work, but it will pay back in
> the long run.
> Greetz,
> Louis
> >-----Oorspronkelijk bericht-----
> >Van: rowlandpenny at googlemail.com
> >[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> >Verzonden: maandag 13 april 2015 17:34
> >Aan: sambalist
> >Onderwerp: Re: [Samba] Trust relationship fails after classicupgrade
> >
> >On 13/04/15 16:13, Timo Altun wrote:
> >> Thanks Louis, it seems the DNS updates were working even with the
> >> nsswitch.conf I had, but only for machines that I manually joined to
> >> the new AD Domain.
> >>
> >> I checked the ones I didn't join manually and they aren't proper
> >> members of the domain anymore. If I try to logon with
> >anything but the
> >> last (cached) user account on a Win7 machine I get: "The trust
> >> relationship between this workstation and the primary domain failed".
> >>
> >> I am unsure what has changed. The classicupgrade worked flawless
> >> regarding the windows machines' domain membership before. I redid it
> >> today, to no avail. Got a new backup from LDAP from the still
> >> productive Samba 3.4.3 PDC (running on Debian Lenny) and redid the
> >> classicupgrade again...still the trust relationship fails.
> >>
> >> Is there an explanation for this? I tested with a WinXP machine as
> >> well and get the same error.
> >> Both the Win7 and WinXP are proper members of the NT-4
> >domain. I made
> >> a backup of the domain from the Debian Lenny, did the classicupgrade
> >> from the backup (on the AD DC to be, a Debian Jessie),
> >switched the IP
> >> adresses of the Win7 and WinXP to the testing environment and they
> >> produce the beforementioned error. Manually joining to them
> >new domain
> >> is no problem.
> >>
> >> The thing that surprises me most, is that it worked before with this
> >> testing setup.
> >>
> >> Rowland, regarding the naming conventions for NETBIOS-Domainname and
> >> Kerberos Realm, we will rename them if we have to manually join the
> >> machines to the domain. If it is possible to circumvent
> >that, we'll go
> >> with the dot in the NETBIOS name. We recognize it's not ideal, but
> >> renaming would mean rejoining about a hundred machines and
> >> reestablishing their locally saved user profiles.
> >>
> >
> >I understand where you are coming from, it is a lot of work to
> >go around
> >and rejoin such a lot of machines, but I just thought that I should
> >point out the possible pitfalls of using a workgroup name with
> >a dot in
> >it. I personally would get about 10-20 machines connected to the AD
> >domain and see how you go, if you have no problems, then
> >great, connect
> >the rest and let us know that it does work. However if it doesn't work
> >and you get problems, you will have less machines to sort out
> >and again,
> >please let us know this and what problems you have had, I will
> >then add
> >something to the wiki.
> >
> >Rowland
> >--
> >To unsubscribe from this list go to the following URL and read the
> >instructions:  https://lists.samba.org/mailman/options/samba
> >
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list