samba - Apr 2012 - trust relationship between this workstation and the primary domain failed

Samba shares work for windows 7 and Server 2008, but XP and Server 2000 recieve
the following error when trying to map samba shares:

"The trust relationship between this workstation and the primary domain
failed."

tail -f /var/log/messages
Apr 10 07:38:03 samba01 smbd[23581]:?? connect_to_domain_password_server: unable
to open the domain client session to machine ad1.strat.com. Error was :
NT_STATUS_ACCESS_DENIED.
Apr 10 07:38:03 samba01 smbd[23581]: [2012/04/10 07:38:03.788387,? 0]
rpc_client/cli_pipe.c:4163(cli_rpc_pipe_open_schannel)
Apr 10 07:38:03 samba01 smbd[23581]:?? cli_rpc_pipe_open_schannel: failed to get
schannel session key from server ad1.strat.com for domain ARN.
Apr 10 07:38:03 samba01 smbd[23581]: [2012/04/10 07:38:03.788601,? 0]
auth/auth_domain.c:188(connect_to_domain_password_server)
Apr 10 07:38:03 samba01 smbd[23581]:?? connect_to_domain_password_server: unable
to open the domain client session to machine ad1.strat.com. Error was :
NT_STATUS_ACCESS_DENIED.
Apr 10 07:38:03 samba01 smbd[23581]: [2012/04/10 07:38:03.789152,? 0]
auth/auth_domain.c:289(domain_client_validate) Apr 10 07:38:03 samba01
smbd[23581]:?? domain_client_validate: Domain password server not available

Samba 3.5.10
RHEL 6.2

Any help is appreciated.? 
Thanks,
Clinton

On Tue, Apr 10, 2012 at 8:43 AM, clinton propst <clintonpropst at
yahoo.com> wrote:
> Samba shares work for windows 7 and Server 2008, but XP and Server 2000
recieve the following error when trying to map samba shares:
>
> "The trust relationship between this workstation and the primary
domain failed."
>
> tail -f /var/log/messages
> Apr 10 07:38:03 samba01 smbd[23581]:?? connect_to_domain_password_server:
unable to open the domain client session to machine ad1.strat.com. Error was :
NT_STATUS_ACCESS_DENIED.
> Apr 10 07:38:03 samba01 smbd[23581]: [2012/04/10 07:38:03.788387,? 0]
rpc_client/cli_pipe.c:4163(cli_rpc_pipe_open_schannel)
> Apr 10 07:38:03 samba01 smbd[23581]:?? cli_rpc_pipe_open_schannel: failed
to get schannel session key from server ad1.strat.com for domain ARN.
> Apr 10 07:38:03 samba01 smbd[23581]: [2012/04/10 07:38:03.788601,? 0]
auth/auth_domain.c:188(connect_to_domain_password_server)
> Apr 10 07:38:03 samba01 smbd[23581]:?? connect_to_domain_password_server:
unable to open the domain client session to machine ad1.strat.com. Error was :
NT_STATUS_ACCESS_DENIED.
> Apr 10 07:38:03 samba01 smbd[23581]: [2012/04/10 07:38:03.789152,? 0]
auth/auth_domain.c:289(domain_client_validate) Apr 10 07:38:03 samba01
smbd[23581]:?? domain_client_validate: Domain password server not available
>
> Samba 3.5.10
> RHEL 6.2
>
> Any help is appreciated.
http://lists.samba.org/archive/samba/2010-October/158591.html

-- 
John M. Drescher

Thannks for the reply.? Set the the reg key below and rebooted.? Issue still not
resolved.? From reading that post it looks like that was a fix for windows 7.?
Our windows 7 workstations and server 2008 can access samba shares, but xp and
server 2000 cannot.
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  DisablePasswordChange = dword:1
--- On Tue, 4/10/12, John Drescher <drescherjm at gmail.com> wrote:

From: John Drescher <drescherjm at gmail.com>
Subject: Re: [Samba] trust relationship between this workstation and the primary
domain failed
To: "clinton propst" <clintonpropst at yahoo.com>
Cc: samba at lists.samba.org
Date: Tuesday, April 10, 2012, 7:47 AM

On Tue, Apr 10, 2012 at 8:43 AM, clinton propst <clintonpropst at
yahoo.com> wrote:
> Samba shares work for windows 7 and Server 2008, but XP and Server 2000
recieve the following error when trying to map samba shares:
>
> "The trust relationship between this workstation and the primary
domain failed."
>
> tail -f /var/log/messages
> Apr 10 07:38:03 samba01 smbd[23581]:?? connect_to_domain_password_server:
unable to open the domain client session to machine ad1.strat.com. Error was :
NT_STATUS_ACCESS_DENIED.
> Apr 10 07:38:03 samba01 smbd[23581]: [2012/04/10 07:38:03.788387,? 0]
rpc_client/cli_pipe.c:4163(cli_rpc_pipe_open_schannel)
> Apr 10 07:38:03 samba01 smbd[23581]:?? cli_rpc_pipe_open_schannel: failed
to get schannel session key from server ad1.strat.com for domain ARN.
> Apr 10 07:38:03 samba01 smbd[23581]: [2012/04/10 07:38:03.788601,? 0]
auth/auth_domain.c:188(connect_to_domain_password_server)
> Apr 10 07:38:03 samba01 smbd[23581]:?? connect_to_domain_password_server:
unable to open the domain client session to machine ad1.strat.com. Error was :
NT_STATUS_ACCESS_DENIED.
> Apr 10 07:38:03 samba01 smbd[23581]: [2012/04/10 07:38:03.789152,? 0]
auth/auth_domain.c:289(domain_client_validate) Apr 10 07:38:03 samba01
smbd[23581]:?? domain_client_validate: Domain password server not available
>
> Samba 3.5.10
> RHEL 6.2
>
> Any help is appreciated.
http://lists.samba.org/archive/samba/2010-October/158591.html

-- 
John M. Drescher

On Tue, Apr 10, 2012 at 9:46 AM, clinton propst <clintonpropst at
yahoo.com>wrote:
>
> Thannks for the reply.  Set the the reg key below and rebooted.  Issue
> still not resolved.  From reading that post it looks like that was a fix
> for windows 7.  Our windows 7 workstations and server 2008 can access samba
> shares, but xp and server 2000 cannot.
>
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
>   DisablePasswordChange = dword:1
>
>
You have to re add all machines affected machines to the domain.

John

Still not working after readding machines to the domain.? Errors are the same as
originally posted in /var/log/messages.


--- On Tue, 4/10/12, John Drescher <drescherjm at gmail.com> wrote:

From: John Drescher <drescherjm at gmail.com>
Subject: Re: [Samba] trust relationship between this workstation and the primary
domain failed
To: "clinton propst" <clintonpropst at yahoo.com>
Cc: samba at lists.samba.org
Date: Tuesday, April 10, 2012, 9:09 AM



On Tue, Apr 10, 2012 at 9:46 AM, clinton propst <clintonpropst at
yahoo.com> wrote:


Thannks for the reply.? Set the the reg key below and rebooted.? Issue still not
resolved.? From reading that post it looks like that was a fix for windows 7.?
Our windows 7 workstations and server 2008 can access samba shares, but xp and
server 2000 cannot.

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  DisablePasswordChange = dword:1

You have to re add all machines affected machines to the domain.


John

> Still not working after readding machines to the domain.? Errors are the
> same as originally posted in /var/log/messages.
>
Please forget my advice. I thought you had a different problem. I
should not reply to posts while distracted.. I do not know how to
solve your issue.

John

Tcpdump from 2008 (works) and XP (not working) are different.? I noticed 2008
and windows 7 (working) smbclients keep all SMB traffic between the smbclient
and smbserver while XP and 2000 (not working) communicate SMB traffic between
SMBserver and AD server as well as SMBserver and SMBclient.? TCP dump from Samba
server below:

2008 (working)
smbclient SMBnegprot (REQUEST) -> smbserver
smbserver SMBnegprot (REPLY) -> smbclient
smbclient SMBsessionsetupX (REQUEST) -> smbserver
smbserver SRV _ldap...? and A? lookup -> DNS
DNS -> smbserver
smbserver -> AD
AD -> smbserver
smbserver SMBsesssetupX (REPLY) -> smbclient
smbclient SMBtconX (REQUEST) -> smbserver
smbserver SMBtconX (REPLY) -> smbclient
smbclient SMBtrans2 (REQUEST) -> smbserver
smbclient SMBtrans2 (REQUEST) -> smbserver
smbserver SMBtrans2 (REPLY) -> smbclient
smbserver SMBtrans2 (REPLY) -> smbclient
smbclient SMBntcreateX (REQUEST) -> smbserver
smbserver SMBntcreateX (REPLY) -> smbclient
smbserver SMBwriteX (REQUEST) -> smbclient
smbserver SMBwriteX (REPLY) -> smbclient
smbclient SMBreadx (REQUEST) -> smbserver
smbserver SMBntcreateX (REPLY) -> smbclient
smbclient SMBclose (REQUEST) -> smbserver
smbserver SMBclose (REPLY) -> smbclient

XP (Not working)
smbclient SMBnegprot (REQUEST) -> smbserver
smbserver SMBnegprot (REPLY) -> smbclient
smbclient SMBsessionsetupX (REQUEST) -> smbserver
smbserver SRV _ldap...? and A? lookup -> DNS
DNS -> smbserver
smbserver -> AD
AD -> smbserver
smbserver SMBnegprot (REQUEST) -> AD
AD SMBnegprot (REPLY) -> smbserver
smbserver SMBsessionsetupX (REQUEST) -> AD
AD SMBsessionsetupX (REPLY) -> smbserver
smbserver SMBtconX (REQUEST) -> AD
AD SMBtconX (REPLY) -> smbserver
smbserver SMBntcreateX (REQUEST) -> AD
AD SMBntcreateX (REPLY) -> smbserver
smbserver SMBtdis (REQUEST) -> AD
AD SMBtdis (REPLY) -> smbserver
smbserver SMBnegprot (REQUEST) -> AD
AD SMBnegprot (REPLY) -> smbserver
smbserver SMBsessionsetupX (REQUEST) -> AD
AD SMBsessionsetupX (REPLY) -> smbserver
smbserver SMBtconX (REQUEST) -> AD
AD SMBtconX (REPLY) -> smbserver
smbserver SMBntcreateX (REQUEST) -> AD
AD SMBntcreateX (REPLY) -> smbserver
smbserver SMBtdis (REQUEST) -> AD
AD SMBtdis (REPLY) -> smbserver
smbserver SMBsesssetupX (REPLY) -> smbclient.menandmice-lpm
smbclient.univ-appserver -> smbserver.http
smbserver.http -> smbclient.univ-appserver
smbclient.univ-appserver -> smbserver.http
smbserver.http -> smbclient.univ-appserver





--- On Tue, 4/17/12, clinton propst <clintonpropst at yahoo.com> wrote:

From: clinton propst <clintonpropst at yahoo.com>
Subject: Re: [Samba] trust relationship between this workstation and the primary
domain failed
To: "Ivan Ordonez" <iordonez at berkeley.edu>
Date: Tuesday, April 17, 2012, 2:19 PM

Ivan,
XP and 2000 Servers LAN MAN was set to LM & NTLM.? I reset an XP node to
'Send NTLMv2 response only\refuse LM & NTLM' and reboot and receive
the same errors.? Searching through tcpdump of failed attempt.

Clinton

--- On Tue, 4/10/12, Ivan Ordonez <iordonez at berkeley.edu> wrote:

From: Ivan Ordonez <iordonez at berkeley.edu>
Subject: Re: [Samba] trust relationship between this workstation and the primary
domain failed
To: "clinton propst" <clintonpropst at yahoo.com>
Date: Tuesday, April 10, 2012, 5:41 PM



  

    
  
    I believe the LAN MAN authentication level should be set to this.

    

    Send NTLMv2 response only\refuse LM & NTLM

    

    On 4/10/2012 2:25 PM, clinton propst wrote:
    
      
        
          
            Thanks for the
              Reply.? All of our smb clients (windows 7, server 2000,
              server 2008, xp) are set to require NTLMv2 and 128 bit
              encryption.? The windows 7 and server 2008 work fine.? Do
              you think we should try setting xp and 2000 nodes to
              NTLMv1?

              

              Thanks,

              Clinton

              

              --- On Tue, 4/10/12, Ivan Ordonez <iordonez at berkeley.edu>
              wrote:

              

                From: Ivan Ordonez <iordonez at berkeley.edu>

                Subject: Re: [Samba] trust relationship between this
                workstation and the primary domain failed

                To: "clinton propst" <clintonpropst at
yahoo.com>

                Date: Tuesday, April 10, 2012, 2:36 PM

                

                Have you try changing the NTLM
                  authentication level?

                  

                  On 4/10/2012 9:17 AM, clinton propst wrote:

                  > Still not working after readding machines to the
                  domain.? Errors are the same as originally posted in
                  /var/log/messages.

                  >

                  >

                  > --- On Tue, 4/10/12, John Drescher<drescherjm at
gmail.com>?
                  wrote:

                  >

                  > From: John Drescher<drescherjm at gmail.com>

                  > Subject: Re: [Samba] trust relationship between
                  this workstation and the primary domain failed

                  > To: "clinton propst"<clintonpropst at
yahoo.com>

                  > Cc: samba at lists.samba.org

                  > Date: Tuesday, April 10, 2012, 9:09 AM

                  >

                  >

                  >

                  > On Tue, Apr 10, 2012 at 9:46 AM, clinton
                  propst<clintonpropst at yahoo.com>?
                  wrote:

                  >

                  >

                  > Thannks for the reply.? Set the the reg key below
                  and rebooted.? Issue still not resolved.? From reading
                  that post it looks like that was a fix for windows 7.?
                  Our windows 7 workstations and server 2008 can access
                  samba shares, but xp and server 2000 cannot.

                  >

                  >
                  HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

                  >? ? DisablePasswordChange = dword:1

                  >

                  > You have to re add all machines affected machines
                  to the domain.

                  >

                  >

                  > John

                  >