samba - Jun 2010 - Adding Domain User Accounts to Windows 7 Clients (Samba 3.4.8 PDC)

Hi,

I've searched the logs and google trying to find a fix for my problem
and have so far not succeeded.

I've got a Samba PDC (Debian Lenny), running Samba 3.4.8 from Debian
Backports.  It is using an OpenLdap backend.  We have encountered little
to no problems over the last several years.  And of course, we have to
upgrade to Windows 7 (64-bit), from XP-64. So, here we are.

Following the wiki here: http://wiki.samba.org/index.php/Windows7 I have
made the registry changes mentioned on this page.

I can successfully join the Windows 7 client to our Samba PDC.
Furthermore, domain users are able to login, by using the following
syntax: domain\username and password.  Finally, users are able to access
domain shares without difficulty.

However, I am unable to successfully add domain user accounts to the
client.  When I attempt this, I receive the following error:

"The user could not be added because the following error has occurred:

The trust relationship between the workstation and the primary domain
failed."

Can anybody help pinpoint my error?

My samba PDC logs show the following:

Jun 15 12:11:31 nishnabotna smbd[2746]: [2010/06/15 12:11:31,  0]
auth/auth_sam.c:355(check_sam_security)
Jun 15 12:11:31 nishnabotna smbd[2746]:   check_sam_security:
make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
Jun 15 12:11:32 nishnabotna smbd[2746]: [2010/06/15 12:11:32,  0]
rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
Jun 15 12:11:32 nishnabotna smbd[2746]:   _netr_ServerAuthenticate3:
netlogon_creds_server_check failed. Rejecting auth request from client
CALLENDER machine account CALLENDER$

And perhaps to state the obvious, the user I'm attempting to add does
exist on the network.  By the way, I'm getting this error when trying to
add ANY domain user account to Windows 7 clients.

I would appreciate any input you might offer.

Thanks,
Bryan Walton

-- 
Bryan K. Walton				 Division of Physiologic Imaging
Systems Administrator		University of Iowa Hospitals and Clinics

Does anybody have any ideas?

Thanks,
Bryan Walton

On Tue, Jun 15, 2010 at 12:22:25PM -0500, Walton, Bryan K
wrote:
> Hi,
> 
> I've searched the logs and google trying to find a fix for my problem
> and have so far not succeeded.
> 
> I've got a Samba PDC (Debian Lenny), running Samba 3.4.8 from Debian
> Backports.  It is using an OpenLdap backend.  We have encountered little
> to no problems over the last several years.  And of course, we have to
> upgrade to Windows 7 (64-bit), from XP-64. So, here we are.
> 
> Following the wiki here: http://wiki.samba.org/index.php/Windows7 I have
> made the registry changes mentioned on this page.
> 
> I can successfully join the Windows 7 client to our Samba PDC.
> Furthermore, domain users are able to login, by using the following
> syntax: domain\username and password.  Finally, users are able to access
> domain shares without difficulty.
> 
> However, I am unable to successfully add domain user accounts to the
> client.  When I attempt this, I receive the following error:
> 
> "The user could not be added because the following error has occurred:
> 
> The trust relationship between the workstation and the primary domain
> failed."
> 
> Can anybody help pinpoint my error?
> 
> My samba PDC logs show the following:
> 
> Jun 15 12:11:31 nishnabotna smbd[2746]: [2010/06/15 12:11:31,  0]
> auth/auth_sam.c:355(check_sam_security)
> Jun 15 12:11:31 nishnabotna smbd[2746]:   check_sam_security:
> make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
> Jun 15 12:11:32 nishnabotna smbd[2746]: [2010/06/15 12:11:32,  0]
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> Jun 15 12:11:32 nishnabotna smbd[2746]:   _netr_ServerAuthenticate3:
> netlogon_creds_server_check failed. Rejecting auth request from client
> CALLENDER machine account CALLENDER$
> 
> And perhaps to state the obvious, the user I'm attempting to add does
> exist on the network.  By the way, I'm getting this error when trying
to
> add ANY domain user account to Windows 7 clients.
> 
> I would appreciate any input you might offer.
> 
> Thanks,
> Bryan Walton
> 
> -- 
> Bryan K. Walton				 Division of Physiologic Imaging
> Systems Administrator		University of Iowa Hospitals and Clinics
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Thu, Jun 17, 2010 at 12:54 PM, Walton, Bryan K
<bryan-walton at uiowa.edu> wrote:
> Does anybody have any ideas?
>
I precreate my machine accounts via LAM
(http://www.ldap-account-manager.org/) and that seems to work. I have
had a little of the NT_STATUS_NO_SUCH_USER for machine accounts but I
think I have that solved.

John

On Tue, Jun 15, 2010 at 12:22:25PM -0500, Walton, Bryan K
wrote:
> 
> However, I am unable to successfully add domain user accounts to the
> client.  When I attempt this, I receive the following error:
> 
> "The user could not be added because the following error has occurred:
> 
> The trust relationship between the workstation and the primary domain
> failed."
Hi everybody, thanks for your replies.  I've found the problem, I
believe, and have a work around.  About 15 minutes ago, I stumbled across
this web page:

http://social.technet.microsoft.com/Forums/en/w7itpronetworking/thread/7d0bb953-3514-4475-8f00-5f624f5f6b00

As it turns out, a "new feature" of Windows 7 is that you cannot
directly add domain users as local users.  Instead, you must add desired
domain users to local groups, achieving the desired result.  I have
verfied that this works without difficulty.

In the past, I was able to add domain user acocunts as local accounts,
but it appears that Microsoft no longer allows this with Windows 7.

Thanks again,
Bryan

On Thu, Jun 17, 2010 at 06:22:54PM -0500, David Whitney
wrote:
> 
> Could you explain a bit more what you mean by trying to create a
"local
> user" out of a domain user?
I'm realizing that I've done a very poor job of wording what I was
trying to accomplish.  Essentially, my goal is this:

I have user accounts set up on our domain.  These accounts do not
have administrative rights on the domain.  However, in some cases, I
would like a given domain account to have local administrative rights on
their workstation.  In the past, when logged into the workstation under
an administrator account, I have used the add user window as seen in
the screenshot show in this link:

http://www.ejoose.com/Windows2000/installation/add.user.windows.2000.gif

I would simply click on the add button.  Specify our Samba domain and
the user account.  Then, I would specify that this user was to have
administrative rights on this box.  It worked great.

However, with Windows 7, when using this same process, I would receive
the trust relationship error, as mentioned in my original post (even
though the I've made the registry fixes required and even though the
workstation was already joined to the domain).

What I'm doing now, and is working for me, is simply adding the
specified domain user account to the local administrator group, by
clicking on the advanced tab and then making my way into the local group
listing and adding the user to the Administrator's group.

I think, in the end, both ways that I have employed achieve the same
thing, it is just that the way I've previously done it isn't currently
working.  But the new way suffices.

Again, sorry for the confusion caused by my poor wording.

Cheers,
Bryan