[Samba] Centos 7 Samba3 to Samba4 Migration "Trust Relation Failed"
Alberto Moreno
portsbsd at gmail.com
Thu Apr 20 04:11:14 UTC 2017
Any comment about this issue ?
:-(
On Tue, Apr 18, 2017 at 2:34 PM, Alberto Moreno <portsbsd at gmail.com> wrote:
>
> Hi.
>
> I'm testing my migration from my PDC running Centos 5.x Samba3+OpenLDAP.
> to Centos7 Samba4 OpenLDAP 2.4.40
>
> I had move all my settings and the server has all my users, in console I
> see
> all my info.
>
> Now, I connect a test machine that was on the same domain but I'm getting
> the bad message went I try to login with a domain user:
>
> 'The trust relation between this workstation and the primary domain failed'
>
> This is not good, this domain have about 165 machines.
>
> Part of my log from samba(machinename.log) I get this:
>
> Returning domain sid for domain MYDOMAIN ->
> S-1-5-21-805595659-1689854870-1539857752
> [2017/04/18 11:00:57.397034, 2] ../source3/lib/smbldap.c:794(s
> mbldap_open_connection)
> smbldap_open_connection: connection opened
> [2017/04/18 11:00:57.398431, 3] ../source3/lib/smbldap.c:1013(
> smbldap_connect_system)
> ldap_connect_system: successful connection to the LDAP server
> [2017/04/18 11:00:57.399420, 2] ../source3/passdb/pdb_ldap.c:5
> 24(init_sam_from_ldap)
> init_sam_from_ldap: Entry found for user: mbx-c14$
> [2017/04/18 11:00:57.403331, 2] ../source3/passdb/pdb_ldap.c:2
> 310(init_group_from_ldap)
> init_group_from_ldap: Entry found for group: 515
> [2017/04/18 11:00:57.403539, 3] ../source3/rpc_server/samr/srv
> _samr_nt.c:2947(_samr_QueryUserInfo)
> User:[mbx-c14$]
> [2017/04/18 11:00:57.403605, 3] ../source3/rpc_server/samr/srv
> _samr_nt.c:2947(_samr_QueryUserInfo)
> User:[mbx-c14$]
> [2017/04/18 11:00:57.403628, 3] ../source3/rpc_server/samr/srv
> _samr_nt.c:2650(get_user_info_18)
> User:[mbx-c14$] 0x80
> [2017/04/18 11:00:57.403677, 2] ../libcli/auth/credentials.c:4
> 03(netlogon_creds_server_check_internal)
> credentials check failed
> [2017/04/18 11:00:57.403683, 0] ../source3/rpc_server/netlogon
> /srv_netlog_nt.c:1007(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client MBX-C14 machine account MBX-C14$
> [2017/04/18 11:00:57.404459, 3] ../source3/rpc_server/srv_pipe
> .c:1450(api_rpcTNP)
> api_rpcTNP: rpc command: NETR_SERVERREQCHALLENGE
> [2017/04/18 11:00:57.405424, 3] ../source3/rpc_server/srv_pipe
> .c:1450(api_rpcTNP)
> api_rpcTNP: rpc command: NETR_SERVERAUTHENTICATE3
> [2017/04/18 11:00:57.405546, 2] ../source3/rpc_server/samr/srv
> _samr_nt.c:4004(_samr_LookupDomain)
> Returning domain sid for domain MUEBLEX -> S-1-5-21-805595659-1689854870-
> 1539857752
> [2017/04/18 11:00:57.406023, 2] ../source3/passdb/pdb_ldap.c:5
> 24(init_sam_from_ldap)
> init_sam_from_ldap: Entry found for user: mbx-c14$
> [2017/04/18 11:00:57.406626, 2] ../source3/passdb/pdb_ldap.c:2
> 310(init_group_from_ldap)
> init_group_from_ldap: Entry found for group: 515
> [2017/04/18 11:00:57.406760, 3] ../source3/rpc_server/samr/srv
> _samr_nt.c:2947(_samr_QueryUserInfo)
> User:[mbx-c14$]
> [2017/04/18 11:00:57.406802, 3] ../source3/rpc_server/samr/srv
> _samr_nt.c:2947(_samr_QueryUserInfo)
> User:[mbx-c14$]
> [2017/04/18 11:00:57.406824, 3] ../source3/rpc_server/samr/srv
> _samr_nt.c:2650(get_user_info_18)
> User:[mbx-c14$] 0x80
> [2017/04/18 11:00:57.406851, 2] ../libcli/auth/credentials.c:4
> 03(netlogon_creds_server_check_internal)
> credentials check failed
> [2017/04/18 11:00:57.406856, 0] ../source3/rpc_server/netlogon
> /srv_netlog_nt.c:1007(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client MBX-C14 machine account MBX-C14$
> [2017/04/18 11:01:10.746704, 3] ../source3/smbd/service.c:1148
> (close_cnum)
> mbx-c14 (ipv4:192.168.2.22:49443) closed connection to service IPC$
> [2017/04/18 11:01:10.747766, 3] ../source3/smbd/server_exit.c:
> 246(exit_server_common)
> Server exit (NT_STATUS_CONNECTION_RESET)
>
> Daemons running: smb,nmb,slapd,winbind
>
> I can query my ldap for my machine:
>
> smbldap-usershow mbx-c14$
> dn: uid=mbx-c14$,ou=Computers,dc=mydomain,dc=local
> objectClass: top,account,posixAccount,sambaSamAccount
> cn: mbx-c14$
> uid: mbx-c14$
> uidNumber: 1570
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
> sambaSID: S-1-5-21-805595659-1689854870-1539857752-1516
> displayName: MBX-C14$
> sambaAcctFlags: [W ]
> sambaNTPassword: 3082999B924FC4A964DCF7AA0EF1BDDA
> sambaPwdLastSet: 1488996103
>
>
> pdbedit -Lv mbx-c14$
> No builtin backend found, trying to load plugin
> Module 'ldapsam' loaded
> smbldap_search_domain_info: Searching for:[(&(objectClass=
> sambaDomain)(sambaDomainName=MYDOMAIN))]
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> init_sam_from_ldap: Entry found for user: mbx-c14$
> init_group_from_ldap: Entry found for group: 515
> Unix username: mbx-c14$
> NT username: mbx-c14$
> Account Flags: [W ]
> User SID: S-1-5-21-805595659-1689854870-1539857752-1516
> Primary Group SID: S-1-5-21-805595659-1689854870-1539857752-515
> Full Name: MBX-C14$
> Home Directory:
> HomeDir Drive:
> Logon Script: mbx-c14_.bat
> Profile Path:
> Domain: MYDOMAIN
> Account desc: Computer
> Workstations:
> Munged dial:
> Logon time: 0
> Logoff time: never
> Kickoff time: never
> Password last set: Wed, 08 Mar 2017 10:01:43 PST
> Password can change: Wed, 08 Mar 2017 10:01:43 PST
> Password must change: never
> Last bad password : 0
> Bad password count : 0
> Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> My samba config file didn't change to much some settings obsolete.
>
> This is my smb,conf:
>
> [global]
> workgroup = MYDOMAIN
> server string = PDC Domain
> netbios name = MYDOMAINPDC
> hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
> 192.168.30., 192.168.40., 192.168.50.,
> interfaces = enp3s0 lo0
> bind interfaces only = Yes
> hosts deny = 0.0.0.0
> smb ports = 139 445
> remote announce = 192.168.2.255
> lanman auth = Yes
> client lanman auth = Yes
> encrypt passwords = yes
> passdb backend = ldapsam:ldap://127.0.0.1/
> pam password change= Yes
> passwd program = /usr/bin/passwd %u
> passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password*
> %nn * passwd:*all*authentication*tokens*updated*successfully*
> unix password sync = Yes
> log level = 3
> log file = /var/log/samba/%m.log
> max log size = 2048
> name resolve order = wins bcast hosts lmhost
> time server = No
> use sendfile = yes
> map hidden = No
> map system = No
> map archive = No
> map read only = No
> store dos attributes = Yes
> Map to Guest = Bad User
> load printers = No
> printcap name =
> cups options =
> show add printer wizard = No
> add user script = /usr/sbin/smbldap-useradd -m %u
> delete user script = /usr/sbin/smbldap-userdel %u
> add group script = /usr/sbin/smbldap-groupadd -p %g
> delete group script = /usr/sbin/smbldap-groupdel %g
> add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
> delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
> set primary group script = /usr/sbin/smbldap-usermod -g %g %u
> add machine script = /usr/sbin/smbldap-useradd -w %u
> ldap ssl = off
> ldap passwd sync = Yes
> ldap suffix = dc=mydomain,dc=local
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=mydomain,dc=local
> logon script =%U.bat
> logon path =
> logon path =
> logon home =
> logon drive =
> username map = /etc/samba/usermap
> preferred master = Yes
> wins support = Yes
> winbind nested groups = Yes
> ea support = Yes
> domain logons = Yes
> domain master = Yes
> local master = Yes
> map acl inherit = Yes
> unix charset = UTF8
> case sensitive = No
>
> [netlogon]
> comment = Network Logon Service
> path = /home/samba/netlogon
> Locking = no
>
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> browseable = No
>
> [Public]
> comment = Public Folder
> path = /opt/public
> available = Yes
> browseable = Yes
> public = Yes
> read only = No
> guest ok = Yes
> writeable = yes
> create mode = 0775
> directory mode = 0775
> admin users = root
>
> Any tip I will appreciate, thanks.
> --
> LIving the dream...
>
--
LIving the dream...
More information about the samba
mailing list