Hi all, Earlier I emailed the list on some issues I was having with Windows 7, and one of those issues was the trust relationship breaking down after one month. I think I have some more light to shed on this topic. First, some environmental facts I am running Ubuntu Karmic 9.10 with Samba 3.4.0-3ubuntu5.1 I have installed the latest LDAP schema into OpenLDAP 2.4.18-0ubuntu1 I have a working LDAP directory with users and machine trust accounts. This is continuing to work flawlessly with XP clients. I have applied the two registry hacks into my Windows 7 workstations to enable legacy domains, and to turn off the dns resolution requirement. When I join the domain, everything happens as advertised, and I do get the error message from Windows 7 about DNS that I read on wiki.samba.org can be safely ignored. Immediately after joining the domain, and after the mandatory reboot, I can log in as advertised. However, after a period of time (not sure how long), the Windows 7 clients start using their cached credentials, and no longer communicate properly with the Samba PDC. After a period of about 1 month, the clients no longer use their cached credentials, as they probably expire, and then I can no longer log in, with the message that "The trust relationship between this workstation and the primary domain failed." After some digging, I noticed that the problem in the machines log file was that the machine trust account could not be found. [2009/12/07 19:33:13, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user []\[]@[AC-1391] with the new password interface [2009/12/07 19:33:13, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [DOMAIN]\[]@[AC-1391] [2009/12/07 19:33:13, 3] auth/auth.c:271(check_ntlm_password) check_ntlm_password: guest authentication for user [] succeeded [2009/12/07 19:33:13, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:33:13, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-1391 machine account AC-1391$ [2009/12/07 19:33:13, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:33:13, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client AC-1391 machine account AC-1391$ [2009/12/07 19:33:26, 0] lib/util_sock.c:537(read_socket_with_timeout) [2009/12/07 19:33:26, 0] lib/util_sock.c:1468(get_peer_addr_internal) getpeername failed. Error was Transport endpoint is not connected read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer. The interesting line there is "Failed to find Unix account for ac-1391$". This implies that the account is missing, but when I look at the LDAP directory with my browser, it is there. Now it gets interesting... At the time I am trying to log in, I get the following in /var/log/syslog Dec 7 19:46:27 server slapd[2514]: conn=184 op=2 do_search: invalid dn (sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local) Invalid dn indeed. sambaDomainName=DOMAIN,dc=domain,dc=local exists, but sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local does not. Does anyone know why Samba would be performing this as a lookup? I have seen other people with these symptoms, but I have not been able to find an answer. aF
Just for completeness, when I successfully join the domain I get the following in /var/log/syslog Dec 7 19:50:33 percy slapd[2514]: conn=219 op=6 do_bind: invalid dn (NTLM) Dec 7 19:50:33 percy slapd[2514]: conn=220 op=6 do_bind: invalid dn (NTLM) Dec 7 19:50:34 percy dhcpd: DHCPREQUEST for 192.168.0.114 from 00:1c:c0:57:b4:9d (AC-1391) via eth0 Dec 7 19:50:34 percy dhcpd: DHCPACK on 192.168.0.114 to 00:1c:c0:57:b4:9d (AC-1391) via eth0 Dec 7 19:50:34 percy slapd[2514]: conn=218 op=27 do_search: invalid dn (sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local) and I get the following in the machines samba log [2009/12/07 19:50:34, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:50:41, 0] smbd/map_username.c:140(map_username) can't open username map /etc/samba/smbusers. Error No such file or directory [2009/12/07 19:50:41, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: Checking password for unmapped user [DOMAIN]\[AC-1391$]@[AC-1391] with the new password interface [2009/12/07 19:50:41, 3] auth/auth.c:225(check_ntlm_password) check_ntlm_password: mapped user is: [DOMAIN]\[AC-1391$]@[AC-1391] [2009/12/07 19:50:41, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for ac-1391$ [2009/12/07 19:50:41, 1] auth/auth_sam.c:178(sam_account_ok) sam_account_ok: Account for user 'ac-1391$' password expired!. [2009/12/07 19:50:41, 1] auth/auth_sam.c:179(sam_account_ok) sam_account_ok: Password expired at 'Mon, 07 Dec 2009 19:50:34 EST' (1260175834) unix time. [2009/12/07 19:50:41, 3] auth/auth_winbind.c:54(check_winbind_security) check_winbind_security: Not using winbind, requested domain [DOMAIN] was for this SAM. [2009/12/07 19:50:41, 2] auth/auth.c:320(check_ntlm_password) check_ntlm_password: Authentication for user [AC-1391$] -> [AC-1391$] FAILED with error NT_STATUS_PASSWORD_EXPIRED aF
Alex Ferrara wrote:>Hi all, > >Earlier I emailed the list on some issues I was having with Windows 7,and>one of those issues was the trust relationship breaking down after one >month. I think I have some more light to shed on this topic. > >First, some environmental facts > >I am running Ubuntu Karmic 9.10 with Samba 3.4.0-3ubuntu5.1 >I have installed the latest LDAP schema into OpenLDAP 2.4.18-0ubuntu1 >I have a working LDAP directory with users and machine trust accounts. >This is continuing to work flawlessly with XP clients. >I have applied the two registry hacks into my Windows 7 workstations to >enable legacy domains, and to turn off the dns resolution requirement. > >When I join the domain, everything happens as advertised, and I do getthe>error message from Windows 7 about DNS that I read on wiki.samba.orgcan>be safely ignored. Immediately after joining the domain, and after the >mandatory reboot, I can log in as advertised. However, after a periodof>time (not sure how long), the Windows 7 clients start using theircached>credentials, and no longer communicate properly with the Samba PDC.After>a period of about 1 month, the clients no longer use their cached >credentials, as they probably expire, and then I can no longer log in, >with the message that "The trust relationship between this workstationand>the primary domain failed." > >After some digging, I noticed that the problem in the machines log file >was that the machine trust account could not be found. > >[2009/12/07 19:33:13, 3] auth/auth.c:222(check_ntlm_password) > check_ntlm_password: Checking password for unmapped user []\[]@[AC- >1391] with the new password interface >[2009/12/07 19:33:13, 3] auth/auth.c:225(check_ntlm_password) > check_ntlm_password: mapped user is: [DOMAIN]\[]@[AC-1391] >[2009/12/07 19:33:13, 3] auth/auth.c:271(check_ntlm_password) > check_ntlm_password: guest authentication for user [] succeeded >[2009/12/07 19:33:13, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) > pdb_get_group_sid: Failed to find Unix account for ac-1391$ >[2009/12/07 19:33:13, 0] >rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed.Rejecting>auth request from client AC-1391 machine account AC-1391$ >[2009/12/07 19:33:13, 0] passdb/pdb_get_set.c:210(pdb_get_group_sid) > pdb_get_group_sid: Failed to find Unix account for ac-1391$ >[2009/12/07 19:33:13, 0] >rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed.Rejecting>auth request from client AC-1391 machine account AC-1391$ >[2009/12/07 19:33:26, 0] lib/util_sock.c:537(read_socket_with_timeout) >[2009/12/07 19:33:26, 0] lib/util_sock.c:1468(get_peer_addr_internal) > getpeername failed. Error was Transport endpoint is not connected > read_socket_with_timeout: client 0.0.0.0 read error = Connectionreset>by peer. > >The interesting line there is "Failed to find Unix account forac-1391$".>This implies that the account is missing, but when I look at the LDAP >directory with my browser, it is there. Now it gets interesting... Atthe>time I am trying to log in, I get the following in /var/log/syslog > >Dec 7 19:46:27 server slapd[2514]: conn=184 op=2 do_search: invalid dn >(sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local) > >Invalid dn indeed. sambaDomainName=DOMAIN,dc=domain,dc=local exists,but>sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local does not. > >Does anyone know why Samba would be performing this as a lookup? I have >seen other people with these symptoms, but I have not been able to findan>answer. > >aFI asked about similar error logs a while ago, using tdb files and Samba 3.3.9 (http://lists.samba.org/archive/samba/2009-November/152126.html). Have not yet seen Win 7 being rejected after a month, but it's been less than a month since I started testing it. I would also like to know what's happening. Moray. "To err is human.? To purr, feline"