[Samba] Machine account being rejected

Ciaran Costelloe ccostelloe at flogas.ie
Sun Jan 3 22:01:28 UTC 2016 

I have been running Samba at home as a fileserver for a long time and I 
have now been changing it to a PDC (later I want to try switching it to 
an AD server as a learning experience prior to doing the same on a 
server in work, which is already a PDC).I have got it to the point that 
it logs onto the user account but not the machine account.

The local machine is called asus, the user account asususer, and the 
domain is lunar.

I set up the user account asususer on the Samba server.I was able to 
join the domain via the Computer properties & the Change button, and got 
the expected “Welcome to LUNAR” message. This created the asus$ machine 
account (in the “users” group).

If I try to log on to the domain from a Windows 7 PC as LUNAR\aceruser, 
I get the following error (note that the machine account asus$ is set up):

The trust relationship between the workstation and the primary domain 
failed.

…and the samba log shows:

[2016/01/03 15:46:17, 2] lib/access.c:check_access(323)

Allowed connection from(192.168.1.2)

[2016/01/03 15:46:17, 2] libsmb/credentials.c:creds_server_check(220)

creds_server_check: credentials check failed.

[2016/01/03 15:46:17, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)

_net_auth2: creds_server_check failed. Rejecting auth request from 
client ASUS machine account ASUS$

[2016/01/03 15:46:17, 2] libsmb/credentials.c:creds_server_check(220)

creds_server_check: credentials check failed.

[2016/01/03 15:46:17, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478)

_net_auth2: creds_server_check failed. Rejecting auth request from 
client ASUS machine account ASUS$

[2016/01/03 15:46:32, 0] lib/util_sock.c:read_data(540)

read_data: read failure for 4 bytes to client 192.168.1.2. Error = 
Connection reset by peer

If I then log on locally as ASUS\asususer, the computer does seem to log 
on to the user account asususer on samba even though the machine account 
seems to be rejected: I have access to my samba home directory as well 
as the other shares without getting prompted for a password.The Samba 
log shows:

[2016/01/03 15:37:56, 2] lib/access.c:check_access(323)

Allowed connection from(192.168.1.2)

[2016/01/03 15:38:08, 0] lib/util_sock.c:read_data(540)

read_data: read failure for 4 bytes to client 192.168.1.2. Error = 
Connection reset by peer

[2016/01/03 15:38:28, 2] auth/auth.c:check_ntlm_password(309)

check_ntlm_password:authentication for user [asususer] -> [asususer] -> 
[asususer] succeeded

Any ideas on what I am doing wrong?

Note: During this conversion to a PDC, I had hit a few problems getting 
it to this point.The server in work is running Ubuntu and I was using it 
as a reference as much as I could (I know Ubuntu and CentOS do some 
things differently). After doing a lot of reading, I had done the 
following, which may not be right:

1) I originally tried setting up the machine account on the server, but 
was getting an error like “…home directory already exists…did not copy 
files from /skel”.I never found out what this problem was so I just 
deleted this machine account and relied on Samba creating it 
automatically when I would join the domain from a Windows computer (I 
uncommented the lines in smb.conf for creating accounts and groups).

2) I had read that Samba may not like the way CentOS creates a group 
with the same name as the user when creating an account, so after 
creating asususer on the server I renamed its group to asususergrp.

3) I initially had “Access is denied” errors when attempting to get the 
computer to join the domain: the samba log had 
“check_ntlm_password:Authentication for user [root] -> [root] FAILED 
with error NT_STATUS_NO_SUCH_USER”.I added root to the domadm group 
(mapped to Domain Administrators) and did “smbpasswd –a root” and that 
problem seemed to go away.

4) samba version from smbstatus is 3.0.33-3.40.el5_10

If you read this far, thanks!

Ciaran

More information about the samba mailing list