I think I have narrowed this down even further. I have been working through getting rid of error messages in the logs, and I have updated Samba to 3.4.3. This might have fixed the issue, and I won't know for some time, but I can still see the following error appearing in the logs, which seems to line up with the core issue of machine trust accounts expiring. rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-2150 machine account AC-2150$ I have noticed that the new Windows 7 machines say the password has expired on the same date that is in "sambaPwdLastSet". I added the "X" attribute in sambaAcctFlags in an attempt to stop the accounts from expiring. Below is an ldif of a Windows 7 machine trust account dn: uid=ac-2150$,ou=computers,dc=domain,dc=local objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSamAccount cn: ac-2150$ uid: ac-2150$ uidNumber: 1111 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer sambaDomainName: DOMAIN sambaPrimaryGroupSID: S-1-5-21-3581057417-3103041693-70022037-515 sambaSID: S-1-5-21-3581057417-3103041693-70022037-3222 sambaNTPassword: DABA25E3910551C63347D399520C123D sambaAcctFlags: [WX ] sambaPwdLastSet: 1260776037 Any help would be appreciated. aF
Hi, I'm having the same problem with my Windows 7 machines (64 bit Enterprise) but not Vista. After exactly one month they complain that "The trust relationship between this workstation and the primary domain failed." and I have to rejoin the domain, which fixes it for another month. This happens with and without the "X" account flag set. I'm running samba 3.4.0-3ubuntu5 on ubuntu jaunty with tdbsam. When the trust relationship expires, the samba log says: rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client IX machine account IX$ Interestingly, even after rejoining the domain, when I log on as a domain user for the first time, it shows the above error once more and then logs on happily. I also found this line several times: smbd/service.c:1009(make_connection_snum) '/path/to/IX_' does not exist or permission denied when connecting to [tom] Error was No such file or directory I'm logging on to the machine "ix" as user "tom" and none of the machine accounts have home directories and so far none of them complained about it missing; except the Windows7 ones. If I create the directory and log in it says: smbd/service.c:1047(make_connection_snum) ix (130.95.136.139) connect to service tom initially as user tom (uid=1050, gid=1050) (pid 6387) smbd/service.c:1047(make_connection_snum) ix (130.95.136.139) connect to service tom initially as user IX$ (uid=1214, gid=200) (pid 6387) smbd/nttrans.c:2076(call_nt_transact_ioctl) call_nt_transact_ioctl(0x1401c4): Currently not implemented. and logs in happily. There are no files in the newly created directories. Alex: You mentioned that you wouldn't know until early this month if the update to 3.4.3 solve this problem; did it? Tom On Wed, Dec 16, 2009 at 13:06, Alex Ferrara <alex at receptiveit.com.au> wrote:> I think I have narrowed this down even further. > > I have been working through getting rid of error messages in the > logs, and I have updated Samba to 3.4.3. This might have fixed the > issue, and I won't know for some time, but I can still see the > following error appearing in the logs, which seems to line up with > the core issue of machine trust accounts expiring. > > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. > Rejecting auth request from client AC-2150 machine account AC-2150$ > > I have noticed that the new Windows 7 machines say the password has > expired on the same date that is in "sambaPwdLastSet". I added the > "X" attribute in sambaAcctFlags in an attempt to stop the accounts > from expiring.
Predrag Gavrilovic
2010-May-19 12:32 UTC
[Samba] Windows 7 machine trust accounts expiring
I also have this problem, running samba 3.4.7 from debian backports on
Lenny.
I have applied registry patches as suggested on samba wiki:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
Windows 7 joins domain but trust relation fails after month or so with
"netlogon_creds_server_check failed" error. Needless to say, XP and
Vista work ok.
Can anyone (please) confirm possibility of windows 7 joining samba
domain and staying joined for more than a month.
If so, what version of samba is working? Is samba 3.5 required, or other
registry patches mentioned (as not needed) in wiki?
?????: 16.12.2009. 06:06, Alex Ferrara ????:> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client AC-2150 machine account AC-2150$
>
> I have noticed that the new Windows 7 machines say the password has expired
on the same date that is in "sambaPwdLastSet". I added the
"X" attribute in sambaAcctFlags in an attempt to stop the accounts
from expiring. Below is an ldif of a Windows 7 machine trust account
>
> dn: uid=ac-2150$,ou=computers,dc=domain,dc=local
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> objectClass: sambaSamAccount
> cn: ac-2150$
> uid: ac-2150$
> uidNumber: 1111
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
> sambaDomainName: DOMAIN
> sambaPrimaryGroupSID: S-1-5-21-3581057417-3103041693-70022037-515
> sambaSID: S-1-5-21-3581057417-3103041693-70022037-3222
> sambaNTPassword: DABA25E3910551C63347D399520C123D
> sambaAcctFlags: [WX ]
> sambaPwdLastSet: 1260776037
>
> Any help would be appreciated.
>
> aF
> -- To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
Predrag Gavrilovic writes:> Windows 7 joins domain but trust relation fails after month or so with > "netlogon_creds_server_check failed" error. Needless to say, XP and > Vista work ok. > > Can anyone (please) confirm possibility of windows 7 joining samba > domain and staying joined for more than a month. > If so, what version of samba is working? Is samba 3.5 required, or other > registry patches mentioned (as not needed) in wiki?We have been using samba 3.5.[12] and with those the Windows 7 trust relation stays intact. Regards, roel