samba - Sep 2010 - Problems joining a samba domain with windows 7

Hello all,

I am doing some tests with Windows 7 and a Samba Domain, but into a
working SAMBA domain, where windows XP joins without problems, when i
try with 7 i recieve an error like "The trust relationship between this
workstation and the primary domain failed.". I use OpenSuSE 11.3 with
samba 3.5.4-5.1.2 and openldap 2.4.21-9.1.

My config of samba:

[global]
        workgroup = MEDIATEST.LOCAL
        netbios name = MEDIADC
        map to guest = Bad User
        passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
        log level = 2
        printcap name = cups
        add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct
--makehomedir --homedir /home/%u -f
        delete user script = /usr/sbin/ldapsmb -d -u "%u" -f
        add group script = /usr/sbin/ldapsmb -a -g "%g" -f
        delete group script = /usr/sbin/ldapsmb -d -g "%g" -f
        add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g
"%g" -f
        delete user from group script = /usr/sbin/ldapsmb -r -u "%u"
-g
"%g" -f
        add machine script = "/usr/sbin/ldapsmb -a -i -wks %u -f"
        logon path = \\afs\mediaservice-test.pri\users\%U\.msprofile
        logon drive = P:
        logon home = \\afs\mediaservice-test.pri\%U\.9xprofile
        domain logons = Yes
        os level = 99
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
        ldap group suffix = ou=group
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Machines
        ldap passwd sync = yes
        ldap suffix = dc=mediaservice-test,dc=pri
        ldap ssl = no
        ldap user suffix = ou=people
        usershare allow guests = Yes
        idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
        cups options = raw

[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        read only = No
        inherit acls = Yes
        browseable = No

[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        create mask = 0600
        directory mask = 0700
        store dos attributes = Yes

[users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/

[groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes

[printers]
        comment = All Printers
        path = /var/tmp
        create mask = 0600
        printable = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin, root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775

[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        write list = root

I have modified this registry keys on Windows 7 with no luck:

HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters
DWORD RequireSignOrSeal?= 1
DWORD RequireStrongKey= 1

I have also tried to sync the date and time of the server and the client
with the same timeserver.

Here is the smb log:

[2010/09/29 16:00:12.002747,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/29 16:00:12.050876,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/29 16:00:12.051737,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2010/09/29 16:00:12.055201,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: pasquale-nb$
[2010/09/29 16:00:12.058927,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [PASQUALE-NB$] ->
[PASQUALE-NB$] -> [pasquale-nb$] succeeded
[2010/09/29 16:00:54.035612,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2010/09/29 16:00:54.036172,  0]
lib/util_sock.c:1432(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
[2010/09/29 16:01:37.612787,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/29 16:01:37.614813,  2] smbd/sesssetup.c:1390(setup_new_vc_session)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/29 16:01:37.615403,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2010/09/29 16:01:37.628754,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: pasquale-nb$
[2010/09/29 16:01:37.641996,  2]
../libcli/auth/credentials.c:306(netlogon_creds_server_check_internal)
  credentials check failed
[2010/09/29 16:01:37.642095,  0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client PASQUALE-NB machine account PASQUALE-NB$
[2010/09/29 16:01:37.646000,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: pasquale-nb$
[2010/09/29 16:01:37.647148,  2]
../libcli/auth/credentials.c:306(netlogon_creds_server_check_internal)
  credentials check failed
[2010/09/29 16:01:37.647215,  0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client PASQUALE-NB machine account PASQUALE-NB$


If can be useful, when i have added the machine to the domain, i have
got an error with the DNS.

Any help is very appreciated.

Cordially,

Claudio Prono.


-- 
--------------------------------------------------------------------------------
Claudio Prono                         OPST
System Developer               
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc

On Thu, Sep 30, 2010 at 3:50 AM, Claudio Prono <claudio.prono at
atpss.net> wrote:
> Hello all,
>
> I am doing some tests with Windows 7 and a Samba Domain, but into a
> working SAMBA domain, where windows XP joins without problems, when i
> try with 7 i recieve an error like "The trust relationship between
this
> workstation and the primary domain failed.". I use OpenSuSE 11.3 with
> samba 3.5.4-5.1.2 and openldap 2.4.21-9.1.
>
Have you applied the registry patch on the windows 7 machine from the
samba wiki?

http://wiki.samba.org/index.php/Windows7

John

On Thu, Sep 30, 2010 at 8:06 AM, John Drescher <drescherjm at gmail.com>
wrote:
> On Thu, Sep 30, 2010 at 3:50 AM, Claudio Prono <claudio.prono at
atpss.net> wrote:
>> Hello all,
>>
>> I am doing some tests with Windows 7 and a Samba Domain, but into a
>> working SAMBA domain, where windows XP joins without problems, when i
>> try with 7 i recieve an error like "The trust relationship between
this
>> workstation and the primary domain failed.". I use OpenSuSE 11.3
with
>> samba 3.5.4-5.1.2 and openldap 2.4.21-9.1.
>>
>
> Have you applied the registry patch on the windows 7 machine from the
> samba wiki?
>
> http://wiki.samba.org/index.php/Windows7
Sorry I see that you did that. Do you have only 1 domain controller?
Or to get to the point. Are all domain controllers 3.3 or higher and
have you restarted them all after the update?

John

John Drescher ha scritto:
> On Thu, Sep 30, 2010 at 8:06 AM, John Drescher <drescherjm at
gmail.com> wrote:
>   
>> On Thu, Sep 30, 2010 at 3:50 AM, Claudio Prono <claudio.prono at
atpss.net> wrote:
>>     
>>> Hello all,
>>>
>>> I am doing some tests with Windows 7 and a Samba Domain, but into a
>>> working SAMBA domain, where windows XP joins without problems, when
i
>>> try with 7 i recieve an error like "The trust relationship
between this
>>> workstation and the primary domain failed.". I use OpenSuSE
11.3 with
>>> samba 3.5.4-5.1.2 and openldap 2.4.21-9.1.
>>>
>>>       
>> Have you applied the registry patch on the windows 7 machine from the
>> samba wiki?
>>
>> http://wiki.samba.org/index.php/Windows7
>>     
>
> Sorry I see that you did that. Do you have only 1 domain controller?
> Or to get to the point. Are all domain controllers 3.3 or higher and
> have you restarted them all after the update?
>
> John
>
> !DSPAM:1,4ca47f3f146116287311329!
>
>
>
>   
Solved!

The problem is i have touched some more registry keys than the needed. I
have resetted this two keys:

HKLM\System\CCS\Services\Netlogon\Parameters
DWORD RequireSignOrSeal = 1
DWORD RequireStrongKey = 1

And the join is going well!

Thanks!

Claudio.




-- 
--------------------------------------------------------------------------------
Claudio Prono                         OPST
System Developer               
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc