[Samba] Help - Cannot join Windows 7 client to Samba PDC
in [Samba]
|
Prev: [Samba] Winbind problem on Solaris 9 - samba 3.4.4
Next: Help - Cannot join Windows 7 client to Samba PDC
From: Richard Basch on 14 Jan 2010 04:40 I have been going through all the Wikis and various Google searches to try to solve my problem, all to no avail. I can mount a Samba share, but whenever I try to login using a domain account, I receive an error about "The trust relationship between this workstation and the primary domain failed." What I have done so far, all to no avail. - Upgraded from Samba 3.4.2 to Samba 3.4.4 (under OpenSUSE 11.2) - Edited the registry settings on my Windows 7 client HKLM\System\CCS\Services\LanmanWorkstation\Parameters DWORD DomainCompatibilityMode = 1 DWORD DNSNameResolutionRequired = 0 (I also tried reducing the security requirements for signing & encryption, but have read this is not required with current versions of Samba.) (And, I am running Windows 7 Professional on my client.) "testparm -v" indicates my smb.conf is valid, and I am able to mount shares, which is a positive indication the OpenLDAP integration is working. I am running OpenLDAP 2.4.15 or higher on all my LDAP servers (I think they are all 2.4.19 - 2.4.21). DNS is static, with none of the normal ADS entries. Only the DHCP server is allowed to modify DNS (and only the forward map allows updates, since DHCP updates of the reverse in-addr.arpa maps were problematic). To assist with finding the domain controller, I added the following to C:\Windows\System32\Drivers\etc\lmhosts: 192.168.15.2 tardis #PRE #DOM:N2HA (Thus my attempts to join the domain appear successful, with the documented warnings about the domain suffix. Unfortunately, appearances are deceiving when I actually try to login using a domain account.) Attached are entries from my smbd.log and C:\Windows\debug\NetSetup.log and smb.conf. Any assistance or guidance would be greatly appreciated. log.smbd ======== [2010/01/14 03:31:38, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BAST machine account BAST$ [2010/01/14 03:31:38, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BAST machine account BAST$ [2010/01/14 03:31:48, 0] lib/util_sock.c:539(read_fd_with_timeout) [2010/01/14 03:31:48, 0] lib/util_sock.c:1491(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. [2010/01/14 03:33:17, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BAST machine account BAST$ [2010/01/14 03:33:17, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client BAST machine account BAST$ [2010/01/14 03:33:30, 0] lib/util_sock.c:539(read_fd_with_timeout) [2010/01/14 03:33:30, 0] lib/util_sock.c:1491(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. [2010/01/14 03:34:18, 0] lib/util_sock.c:539(read_fd_with_timeout) [2010/01/14 03:34:18, 0] lib/util_sock.c:1491(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. C:\Windows\debug\NetSetup.log ============================= 01/13/2010 23:36:18:337 NetpJoinDomain: status of connecting to dc '\\TARDIS': 0x0 01/13/2010 23:36:18:337 NetpProvisionComputerAccount: 01/13/2010 23:36:18:337 lpDomain: N2HA 01/13/2010 23:36:18:337 lpMachineName: BAST 01/13/2010 23:36:18:337 lpMachineAccountOU: (NULL) 01/13/2010 23:36:18:337 lpDcName: TARDIS 01/13/2010 23:36:18:337 lpDnsHostName: (NULL) 01/13/2010 23:36:18:337 lpMachinePassword: (null) 01/13/2010 23:36:18:337 lpAccount: N2HA\ntadmin 01/13/2010 23:36:18:337 lpPassword: (non-null) 01/13/2010 23:36:18:337 dwJoinOptions: 0x25 01/13/2010 23:36:18:337 dwOptions: 0x40000003 01/13/2010 23:36:18:352 NetpLdapBind: ldap_bind failed on TARDIS: 49: Invalid Credentials 01/13/2010 23:36:18:426 NetpGetLsaPrimaryDomain: DNS Domain policy not supported, falling back to Primary Domain 01/13/2010 23:36:18:430 NetpGetLsaPrimaryDomain: status: 0x0 01/13/2010 23:36:18:432 NetpCreateComputerObjectInDs: DC passed '\\TARDIS' doesn't have writable DS 0x101 01/13/2010 23:36:18:432 NetpProvisionComputerAccount: LDAP creation failed: 0x32 01/13/2010 23:36:18:432 NetpJoinDomainOnDs: Function exits with status of: 0x32 01/13/2010 23:36:18:434 NetpJoinDomainOnDs: status of disconnecting from '\\TARDIS': 0x0 01/13/2010 23:36:18:434 NetpDoDomainJoin: status: 0x32 01/13/2010 23:36:18:450 ----------------------------------------------------------------- 01/13/2010 23:36:18:450 NetpDoDomainJoin 01/13/2010 23:36:18:450 NetpMachineValidToJoin: 'BAST' 01/13/2010 23:36:18:450 OS Version: 6.1 01/13/2010 23:36:18:450 Build number: 7600 (7600.win7_rtm.090713-1255) 01/13/2010 23:36:18:451 SKU: Windows 7 Professional 01/13/2010 23:36:18:451 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0 01/13/2010 23:36:18:452 NetpGetLsaPrimaryDomain: status: 0x0 01/13/2010 23:36:18:453 NetpMachineValidToJoin: status: 0x0 01/13/2010 23:36:18:453 NetpJoinDomain 01/13/2010 23:36:18:453 Machine: BAST 01/13/2010 23:36:18:453 Domain: N2HA 01/13/2010 23:36:18:453 MachineAccountOU: (NULL) 01/13/2010 23:36:18:453 Account: N2HA\ntadmin 01/13/2010 23:36:18:453 Options: 0x27 01/13/2010 23:36:18:453 NetpLoadParameters: loading registry parameters... 01/13/2010 23:36:18:453 NetpLoadParameters: status: DNSNameResolutionRequired set to '0' 01/13/2010 23:36:18:453 NetpLoadParameters: status: DomainCompatibilityMode set to '1' 01/13/2010 23:36:18:453 NetpLoadParameters: status: 0x0 01/13/2010 23:36:18:453 NetpValidateName: checking to see if 'N2HA' is valid as type 3 name 01/13/2010 23:36:18:554 NetpCheckDomainNameIsValid [ Exists ] for 'N2HA' returned 0x0 01/13/2010 23:36:18:554 NetpValidateName: name 'N2HA' is valid for type 3 01/13/2010 23:36:18:554 NetpDsGetDcName: trying to find DC in domain 'N2HA', flags: 0x1020 01/13/2010 23:36:18:755 NetpLoadParameters: loading registry parameters... 01/13/2010 23:36:18:755 NetpLoadParameters: status: DNSNameResolutionRequired set to '0' 01/13/2010 23:36:18:755 NetpLoadParameters: status: DomainCompatibilityMode set to '1' 01/13/2010 23:36:18:755 NetpLoadParameters: status: 0x0 01/13/2010 23:36:18:755 NetpDsGetDcName: found DC '\\TARDIS' in the specified domain 01/13/2010 23:36:18:755 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0 01/13/2010 23:36:18:756 NetpJoinDomain: status of connecting to dc '\\TARDIS': 0x0 01/13/2010 23:36:18:756 NetpProvisionComputerAccount: 01/13/2010 23:36:18:756 lpDomain: N2HA 01/13/2010 23:36:18:756 lpMachineName: BAST 01/13/2010 23:36:18:756 lpMachineAccountOU: (NULL) 01/13/2010 23:36:18:756 lpDcName: TARDIS 01/13/2010 23:36:18:756 lpDnsHostName: (NULL) 01/13/2010 23:36:18:756 lpMachinePassword: (null) 01/13/2010 23:36:18:756 lpAccount: N2HA\ntadmin 01/13/2010 23:36:18:756 lpPassword: (non-null) 01/13/2010 23:36:18:756 dwJoinOptions: 0x27 01/13/2010 23:36:18:756 dwOptions: 0x40000003 01/13/2010 23:36:18:764 NetpLdapBind: ldap_bind failed on TARDIS: 49: Invalid Credentials 01/13/2010 23:36:18:773 NetpGetLsaPrimaryDomain: DNS Domain policy not supported, falling back to Primary Domain 01/13/2010 23:36:18:776 NetpGetLsaPrimaryDomain: status: 0x0 01/13/2010 23:36:18:779 NetpCreateComputerObjectInDs: DC passed '\\TARDIS' doesn't have writable DS 0x101 01/13/2010 23:36:18:779 NetpProvisionComputerAccount: LDAP creation failed: 0x32 01/13/2010 23:36:18:779 NetpProvisionComputerAccount: Retrying downlevel per options 01/13/2010 23:36:18:881 NetpManageMachineAccountWithSid: NetUserAdd on 'TARDIS' for 'BAST$' failed: 0x8b0 01/13/2010 23:36:19:287 NetpManageMachineAccountWithSid: status of attempting to set password on 'TARDIS' for 'BAST$': 0x0 01/13/2010 23:36:19:287 NetpProvisionComputerAccount: retry status of creating account: 0x0 01/13/2010 23:36:19:287 NetpEncodeProvisioningBlob: Encoding provisioning data 01/13/2010 23:36:19:287 NetpInitBlobWin7: Constructing blob... 01/13/2010 23:36:19:287 Blob version: 1 smb.conf ======== [global] workgroup = N2HA realm = INTERNAL.BRIGHT-PROSPECTS.COM security = user map to guest = Bad User usershare allow guests = Yes server string = %h (Samba %v) hosts allow = 192.168.0.0/16 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 smb ports = 445 139 ;os level = 65 local master = yes domain master = yes preferred master = yes domain logons = yes winbind use default domain = yes printing = cups printcap name = cups printcap cache time = 750 cups options = raw name resolve order = wins lmhosts bcast wins support = yes dns proxy = no ea support = yes enable asu support = yes time server = yes deadtime = 10 max log size = 4096 hide unreadable = yes hide dot files = no template shell = /bin/false veto oplock files = /*.pst/*.nsf/*.doc/*.xls/*.mdb/ client lanman auth = no client ntlmv2 auth = yes client plaintext auth = no encrypt passwords = yes lanman auth = no ntlm auth = yes null passwords = yes server signing = auto server schannel = auto passdb backend = ldapsam:ldaps://ldap.internal.bright-prospects.com/ obey pam restrictions = no ldap ssl = no ldap admin dn = "uid=ntadmin,ou=System,ou=User,dc=bright-prospects,dc=co m" ldap suffix = dc=bright-prospects,dc=com ldap machine suffix = sambaDomainName=N2HA,ou=Network ldap user suffix = ou=People,ou=User ldap group suffix = ou=Group ldap idmap suffix = ou=IdMap,ou=Network ldap passwd sync = yes ldap delete dn = no add user script = /home/admin/bin/smbldap-useradd -m %u delete user script = /home/admin/bin/smbldap-userdel %u add machine script = /home/admin/bin/smbldap-useradd -w %u add group script = /home/admin/bin/smbldap-groupadd -p %g #delete group script = /home/admin/bin/smbldap-groupdel %g add user to group script = /home/admin/bin/smbldap-groupmod -m %u %g delete user from group script = /home/admin/bin/smbldap-groupmod -x %u % g set primary group script = /home/admin/bin/smbldap-usermod -g %g %u passwd program = /home/admin/bin/smbldap-passwd %u vfs objects = extd_audit recycle recycle: directory_mode = 0770 recycle: keeptree = 1 recycle: touch = 1 recycle: minsize = 1 recycle: maxsize = 5000000 recycle: exclude = *.tmp *.temp ~$* *.obj *.~?? recycle: exclude_dir = /RealTimeBackup ;vscan-clamav: config-file = /etc/samba/vscan-clamav.conf [homes] comment = Home Directories ;valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes ; locking = no hide files = /.*/desktop.ini/thumbs.db/*.bitmap/NTUSER.*/ hide special files = yes path = /home/%S [profiles] comment = Network Profiles Service ;path = %H read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 ; hide files = /desktop.ini/thumbs.db/*.bitmap/ guest ok = yes path = /home/profiles [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |