[Samba] Centos 7 Samba3 to Samba4 Migration "Trust Relation Failed"
Alberto Moreno
portsbsd at gmail.com
Tue Apr 18 21:34:49 UTC 2017
Hi.
I'm testing my migration from my PDC running Centos 5.x Samba3+OpenLDAP.
to Centos7 Samba4 OpenLDAP 2.4.40
I had move all my settings and the server has all my users, in console I see
all my info.
Now, I connect a test machine that was on the same domain but I'm getting
the bad message went I try to login with a domain user:
'The trust relation between this workstation and the primary domain failed'
This is not good, this domain have about 165 machines.
Part of my log from samba(machinename.log) I get this:
Returning domain sid for domain MYDOMAIN -> S-1-5-21-805595659-1689854870-
1539857752
[2017/04/18 11:00:57.397034, 2] ../source3/lib/smbldap.c:794(
smbldap_open_connection)
smbldap_open_connection: connection opened
[2017/04/18 11:00:57.398431, 3] ../source3/lib/smbldap.c:1013(
smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2017/04/18 11:00:57.399420, 2] ../source3/passdb/pdb_ldap.c:
524(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: mbx-c14$
[2017/04/18 11:00:57.403331, 2] ../source3/passdb/pdb_ldap.c:
2310(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 515
[2017/04/18 11:00:57.403539, 3] ../source3/rpc_server/samr/
srv_samr_nt.c:2947(_samr_QueryUserInfo)
User:[mbx-c14$]
[2017/04/18 11:00:57.403605, 3] ../source3/rpc_server/samr/
srv_samr_nt.c:2947(_samr_QueryUserInfo)
User:[mbx-c14$]
[2017/04/18 11:00:57.403628, 3] ../source3/rpc_server/samr/
srv_samr_nt.c:2650(get_user_info_18)
User:[mbx-c14$] 0x80
[2017/04/18 11:00:57.403677, 2] ../libcli/auth/credentials.c:
403(netlogon_creds_server_check_internal)
credentials check failed
[2017/04/18 11:00:57.403683, 0] ../source3/rpc_server/
netlogon/srv_netlog_nt.c:1007(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client MBX-C14 machine account MBX-C14$
[2017/04/18 11:00:57.404459, 3] ../source3/rpc_server/srv_
pipe.c:1450(api_rpcTNP)
api_rpcTNP: rpc command: NETR_SERVERREQCHALLENGE
[2017/04/18 11:00:57.405424, 3] ../source3/rpc_server/srv_
pipe.c:1450(api_rpcTNP)
api_rpcTNP: rpc command: NETR_SERVERAUTHENTICATE3
[2017/04/18 11:00:57.405546, 2] ../source3/rpc_server/samr/
srv_samr_nt.c:4004(_samr_LookupDomain)
Returning domain sid for domain MUEBLEX -> S-1-5-21-805595659-1689854870-
1539857752
[2017/04/18 11:00:57.406023, 2] ../source3/passdb/pdb_ldap.c:
524(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: mbx-c14$
[2017/04/18 11:00:57.406626, 2] ../source3/passdb/pdb_ldap.c:
2310(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 515
[2017/04/18 11:00:57.406760, 3] ../source3/rpc_server/samr/
srv_samr_nt.c:2947(_samr_QueryUserInfo)
User:[mbx-c14$]
[2017/04/18 11:00:57.406802, 3] ../source3/rpc_server/samr/
srv_samr_nt.c:2947(_samr_QueryUserInfo)
User:[mbx-c14$]
[2017/04/18 11:00:57.406824, 3] ../source3/rpc_server/samr/
srv_samr_nt.c:2650(get_user_info_18)
User:[mbx-c14$] 0x80
[2017/04/18 11:00:57.406851, 2] ../libcli/auth/credentials.c:
403(netlogon_creds_server_check_internal)
credentials check failed
[2017/04/18 11:00:57.406856, 0] ../source3/rpc_server/
netlogon/srv_netlog_nt.c:1007(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client MBX-C14 machine account MBX-C14$
[2017/04/18 11:01:10.746704, 3] ../source3/smbd/service.c:1148(close_cnum)
mbx-c14 (ipv4:192.168.2.22:49443) closed connection to service IPC$
[2017/04/18 11:01:10.747766, 3] ../source3/smbd/server_exit.c:
246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
Daemons running: smb,nmb,slapd,winbind
I can query my ldap for my machine:
smbldap-usershow mbx-c14$
dn: uid=mbx-c14$,ou=Computers,dc=mydomain,dc=local
objectClass: top,account,posixAccount,sambaSamAccount
cn: mbx-c14$
uid: mbx-c14$
uidNumber: 1570
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-805595659-1689854870-1539857752-1516
displayName: MBX-C14$
sambaAcctFlags: [W ]
sambaNTPassword: 3082999B924FC4A964DCF7AA0EF1BDDA
sambaPwdLastSet: 1488996103
pdbedit -Lv mbx-c14$
No builtin backend found, trying to load plugin
Module 'ldapsam' loaded
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: mbx-c14$
init_group_from_ldap: Entry found for group: 515
Unix username: mbx-c14$
NT username: mbx-c14$
Account Flags: [W ]
User SID: S-1-5-21-805595659-1689854870-1539857752-1516
Primary Group SID: S-1-5-21-805595659-1689854870-1539857752-515
Full Name: MBX-C14$
Home Directory:
HomeDir Drive:
Logon Script: mbx-c14_.bat
Profile Path:
Domain: MYDOMAIN
Account desc: Computer
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Wed, 08 Mar 2017 10:01:43 PST
Password can change: Wed, 08 Mar 2017 10:01:43 PST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
My samba config file didn't change to much some settings obsolete.
This is my smb,conf:
[global]
workgroup = MYDOMAIN
server string = PDC Domain
netbios name = MYDOMAINPDC
hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
192.168.30., 192.168.40., 192.168.50.,
interfaces = enp3s0 lo0
bind interfaces only = Yes
hosts deny = 0.0.0.0
smb ports = 139 445
remote announce = 192.168.2.255
lanman auth = Yes
client lanman auth = Yes
encrypt passwords = yes
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change= Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password*
%nn * passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log level = 3
log file = /var/log/samba/%m.log
max log size = 2048
name resolve order = wins bcast hosts lmhost
time server = No
use sendfile = yes
map hidden = No
map system = No
map archive = No
map read only = No
store dos attributes = Yes
Map to Guest = Bad User
load printers = No
printcap name =
cups options =
show add printer wizard = No
add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u
ldap ssl = off
ldap passwd sync = Yes
ldap suffix = dc=mydomain,dc=local
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=mydomain,dc=local
logon script =%U.bat
logon path =
logon path =
logon home =
logon drive =
username map = /etc/samba/usermap
preferred master = Yes
wins support = Yes
winbind nested groups = Yes
ea support = Yes
domain logons = Yes
domain master = Yes
local master = Yes
map acl inherit = Yes
unix charset = UTF8
case sensitive = No
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
Locking = no
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[Public]
comment = Public Folder
path = /opt/public
available = Yes
browseable = Yes
public = Yes
read only = No
guest ok = Yes
writeable = yes
create mode = 0775
directory mode = 0775
admin users = root
Any tip I will appreciate, thanks.
--
LIving the dream...
More information about the samba
mailing list