Andrew Spiers
2011-May-23 08:00 UTC
[Samba] The trust relationship between this workstation and the primary domain failed.
Samba 3.5.6 PDC, Windows 7 client. A user was unable to log on this morning with this error. The samba log for the machine is full of: [2011/02/10 09:09:50.145387, 0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client CLIENT machine account CLIENT$ [2011/02/10 09:10:18.693306, 0] lib/util_sock.c:474(read_fd_with_timeout) [2011/02/10 09:10:18.693343, 0] lib/util_sock.c:1432(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. [2011/02/10 09:10:36.694575, 0] lib/util_sock.c:474(read_fd_with_timeout) [2011/02/10 09:10:36.694604, 0] lib/util_sock.c:1432(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. [2011/02/10 09:13:14.855541, 1] smbd/service.c:1070(make_connection_snum) (Those messages go back as far as April when the user started using the machine.) I've got a feeling that SambaPwdLastSet isn't getting updated in our LDAP database. Removing the client from the domain and rejoining it fixed the problem. from smb.conf: [netlogon] comment = Network Logon Service path = /share/common/netlogon guest ok = yes writable = no share modes = no write list = root, administrator # getfacl /share/common/netlogon getfacl: Removing leading '/' from absolute path names # file: share/common/netlogon # owner: root # group: root user::rwx group::r-x other::r-x Does anyone know why this might be? Or what can be done about it?
John Drescher
2011-May-23 12:14 UTC
[Samba] The trust relationship between this workstation and the primary domain failed.
On Mon, May 23, 2011 at 4:00 AM, Andrew Spiers <7andrew at gmail.com> wrote:> Samba 3.5.6 PDC, Windows 7 client. > A user was unable to log on this morning with this error. The samba > log for the machine is full of: > > [2011/02/10 09:09:50.145387, ?0] > rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) > ?_netr_ServerAuthenticate3: netlogon_creds_server_check failed. > Rejecting auth request from client CLIENT machine account CLIENT$ > [2011/02/10 09:10:18.693306, ?0] lib/util_sock.c:474(read_fd_with_timeout) > [2011/02/10 09:10:18.693343, ?0] lib/util_sock.c:1432(get_peer_addr_internal) > ?getpeername failed. Error was Transport endpoint is not connected > ?read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. > [2011/02/10 09:10:36.694575, ?0] lib/util_sock.c:474(read_fd_with_timeout) > [2011/02/10 09:10:36.694604, ?0] lib/util_sock.c:1432(get_peer_addr_internal) > ?getpeername failed. Error was Transport endpoint is not connected > ?read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer. > [2011/02/10 09:13:14.855541, ?1] smbd/service.c:1070(make_connection_snum) > > (Those messages go back as far as April when the user started using > the machine.) I've got a feeling that SambaPwdLastSet isn't getting > updated in our LDAP database. > Removing the client from the domain and rejoining it fixed the problem. > > from smb.conf: > [netlogon] > ? comment = Network Logon Service > ? path = /share/common/netlogon > ? guest ok = yes > ? writable = no > ? share modes = no > ? write list = root, administrator > > # getfacl /share/common/netlogon > getfacl: Removing leading '/' from absolute path names > # file: share/common/netlogon > # owner: root > # group: root > user::rwx > group::r-x > other::r-x > > Does anyone know why this might be? Or what can be done about it?I believe you have to disable the machine password from being automatically changed on the client. The default is every 30 days. I believe if no user is logged in during the password exchange the Windows 7 box changes the password but samba does not get the change. See this thread: http://samba.2283325.n4.nabble.com/Windows-7-machine-trust-accounts-expiring-td2456812.html John