samba - May 2011 - The trust relationship between this workstation and the primary domain failed.

Samba 3.5.6 PDC, Windows 7 client.
A user was unable to log on this morning with this error. The samba
log for the machine is full of:

[2011/02/10 09:09:50.145387,  0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client CLIENT machine account CLIENT$
[2011/02/10 09:10:18.693306,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2011/02/10 09:10:18.693343,  0] lib/util_sock.c:1432(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2011/02/10 09:10:36.694575,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2011/02/10 09:10:36.694604,  0] lib/util_sock.c:1432(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2011/02/10 09:13:14.855541,  1] smbd/service.c:1070(make_connection_snum)

(Those messages go back as far as April when the user started using
the machine.) I've got a feeling that SambaPwdLastSet isn't getting
updated in our LDAP database.
Removing the client from the domain and rejoining it fixed the problem.

from smb.conf:
[netlogon]
   comment = Network Logon Service
   path = /share/common/netlogon
   guest ok = yes
   writable = no
   share modes = no
   write list = root, administrator

# getfacl /share/common/netlogon
getfacl: Removing leading '/' from absolute path names
# file: share/common/netlogon
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

Does anyone know why this might be? Or what can be done about it?

On Mon, May 23, 2011 at 4:00 AM, Andrew Spiers <7andrew at gmail.com>
wrote:
> Samba 3.5.6 PDC, Windows 7 client.
> A user was unable to log on this morning with this error. The samba
> log for the machine is full of:
>
> [2011/02/10 09:09:50.145387, ?0]
> rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
> ?_netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client CLIENT machine account CLIENT$
> [2011/02/10 09:10:18.693306, ?0] lib/util_sock.c:474(read_fd_with_timeout)
> [2011/02/10 09:10:18.693343, ?0]
lib/util_sock.c:1432(get_peer_addr_internal)
> ?getpeername failed. Error was Transport endpoint is not connected
> ?read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
> [2011/02/10 09:10:36.694575, ?0] lib/util_sock.c:474(read_fd_with_timeout)
> [2011/02/10 09:10:36.694604, ?0]
lib/util_sock.c:1432(get_peer_addr_internal)
> ?getpeername failed. Error was Transport endpoint is not connected
> ?read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
> [2011/02/10 09:13:14.855541, ?1] smbd/service.c:1070(make_connection_snum)
>
> (Those messages go back as far as April when the user started using
> the machine.) I've got a feeling that SambaPwdLastSet isn't getting
> updated in our LDAP database.
> Removing the client from the domain and rejoining it fixed the problem.
>
> from smb.conf:
> [netlogon]
> ? comment = Network Logon Service
> ? path = /share/common/netlogon
> ? guest ok = yes
> ? writable = no
> ? share modes = no
> ? write list = root, administrator
>
> # getfacl /share/common/netlogon
> getfacl: Removing leading '/' from absolute path names
> # file: share/common/netlogon
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
>
> Does anyone know why this might be? Or what can be done about it?
I believe you have to disable the machine password from being
automatically changed on the client. The default is every 30 days. I
believe if no user is logged in during the password exchange the
Windows 7 box changes the password but samba does not get the change.

See this thread:
http://samba.2283325.n4.nabble.com/Windows-7-machine-trust-accounts-expiring-td2456812.html

John