Hi all About 18 months ago I connected 14 new Windows 7 PCs to a Centos5.1 server with samba3x as domain members. There are no other servers on site. Today, I had to visit to connect up a PC in a new location. As I would normally do I checked for Centos updates and found 35 outstanding including samba3x 3.6.23-12.el5_11 and samba3x-client, samba3x-common, samba3x-doc, samba3x-domainjoin-gui, samba3x-swat, samba3x-winbind, samba3x-winbind-devel Having completed the cabling I tried to log the PC in but received 'trust relationship between this workstation and primary domain failed'. Several times I removed it from the domain and added it back again - this made no difference. I noted the time on the PC was 7 minutes out from the server, so corrected that, removed from the domain, added it in again but had the same message. Thinking it was just related to this PC, I left it configured as a workgroup member, created a new local user to match the domain username it had been using and connected it to the server shares. Then I went to another PC which had an unrelated issue which needed attention but when I tried to logon to the domain received the same domain trust failure message. Only then did I suspect that the samba3x update may have been the cause so I removed it installed 3x 3.6.23-9 - now when I tried to login I get "there are no login servers available to service the login request" As other users were complaining about losing access to the server shares, I then had to visit every PC, remove each of them from the domain into a workgroup, create a local user on each to match the samba username and copy the profile. Needless to say, a job which should have taken 1 to 2 hours took 7. I still have no idea why the problem occurred, is there an issue with the latest samba update. All I could find online was that the update related to a fix for badlock vulnerability. Peter Lawrie
On 06/17/2016 4:31 PM, peter lawrie wrote:> Hi all > About 18 months ago I connected 14 new Windows 7 PCs to a Centos5.1 server > with samba3x as domain members. There are no other servers on site. > Today, I had to visit to connect up a PC in a new location. As I would > normally do I checked for Centos updates and found 35 outstanding including > samba3x 3.6.23-12.el5_11 and samba3x-client, samba3x-common, samba3x-doc, > samba3x-domainjoin-gui, samba3x-swat, samba3x-winbind, samba3x-winbind-devel > > Having completed the cabling I tried to log the PC in but received 'trust > relationship between this workstation and primary domain failed'. Several > times I removed it from the domain and added it back again - this made no > difference. I noted the time on the PC was 7 minutes out from the server, > so corrected that, removed from the domain, added it in again but had the > same message. > Thinking it was just related to this PC, I left it configured as a > workgroup member, created a new local user to match the domain username it > had been using and connected it to the server shares. > > Then I went to another PC which had an unrelated issue which needed > attention but when I tried to logon to the domain received the same domain > trust failure message. > Only then did I suspect that the samba3x update may have been the cause so > I removed it installed 3x 3.6.23-9 - now when I tried to login I get "there > are no login servers available to service the login request" > > As other users were complaining about losing access to the server shares, I > then had to visit every PC, remove each of them from the domain into a > workgroup, create a local user on each to match the samba username and copy > the profile. Needless to say, a job which should have taken 1 to 2 hours > took 7. > > I still have no idea why the problem occurred, is there an issue with the > latest samba update. All I could find online was that the update related to > a fix for badlock vulnerability. > Peter LawriePeter, The badlock patches have been a big problem for Samba classic domains. Many have posted asking for help, but I have seen no solution presented on this list; i.e. the silence is deafening. It may be that NT4 classic domains will not work going forward. For example, refer to the post by Peter Tuharsky: http://www.spinics.net/lists/samba/msg134710.html In all actuality, Samba 4.3.x pre-badlock had already broken classic ldap domains. So, if anyone has a working Samba/openldap NT4 classic domain post-badlock patches, would you please share your config to help these people? And, if you have a working 4.3 or 4.4 classic domain config, please help me out. Thanks, Dale
On 20/06/16 19:53, Dale Schroeder wrote:> On 06/17/2016 4:31 PM, peter lawrie wrote: >> Hi all >> About 18 months ago I connected 14 new Windows 7 PCs to a Centos5.1 >> server >> with samba3x as domain members. There are no other servers on site. >> Today, I had to visit to connect up a PC in a new location. As I would >> normally do I checked for Centos updates and found 35 outstanding >> including >> samba3x 3.6.23-12.el5_11 and samba3x-client, samba3x-common, >> samba3x-doc, >> samba3x-domainjoin-gui, samba3x-swat, samba3x-winbind, >> samba3x-winbind-devel >> >> Having completed the cabling I tried to log the PC in but received >> 'trust >> relationship between this workstation and primary domain failed'. >> Several >> times I removed it from the domain and added it back again - this >> made no >> difference. I noted the time on the PC was 7 minutes out from the >> server, >> so corrected that, removed from the domain, added it in again but had >> the >> same message. >> Thinking it was just related to this PC, I left it configured as a >> workgroup member, created a new local user to match the domain >> username it >> had been using and connected it to the server shares. >> >> Then I went to another PC which had an unrelated issue which needed >> attention but when I tried to logon to the domain received the same >> domain >> trust failure message. >> Only then did I suspect that the samba3x update may have been the >> cause so >> I removed it installed 3x 3.6.23-9 - now when I tried to login I get >> "there >> are no login servers available to service the login request" >> >> As other users were complaining about losing access to the server >> shares, I >> then had to visit every PC, remove each of them from the domain into a >> workgroup, create a local user on each to match the samba username >> and copy >> the profile. Needless to say, a job which should have taken 1 to 2 hours >> took 7. >> >> I still have no idea why the problem occurred, is there an issue with >> the >> latest samba update. All I could find online was that the update >> related to >> a fix for badlock vulnerability. >> Peter Lawrie > Peter, > > The badlock patches have been a big problem for Samba classic > domains. Many have posted asking for help, but I have seen no > solution presented on this list; i.e. the silence is deafening. It may > be that NT4 classic domains will not work going forward. > > For example, refer to the post by Peter Tuharsky: > http://www.spinics.net/lists/samba/msg134710.html > > In all actuality, Samba 4.3.x pre-badlock had already broken classic > ldap domains.I did some testing before the badlock patches and did manage to get an ldap based NT4 PDC running and connected a Unix client to it, but this was a test domain and it didn't use smbldap-tools. I think one of the problems is that nobody has logged a bug report for this problem, so nobody is looking in to it, another problem is that windows is trying to deter the use of NT4-style domains, it is my understanding that Win10 will not connect to one out-of-the-box. They could (and probably will) make the use of NT4 domains impossible at any time. Rowland> > So, if anyone has a working Samba/openldap NT4 classic domain > post-badlock patches, would you please share your config to help these > people? > > And, if you have a working 4.3 or 4.4 classic domain config, please > help me out. > > Thanks, > Dale > > >