Claudio Prono
2010-Sep-29 15:09 UTC
[Samba] Problems Windows 7 64 Bit joining a Samba + Ldap domain
Hello all,
I am doing some tests with Windows 7 and a Samba Domain, but into a
working SAMBA domain, where windows XP joins without problems, when i
try with 7 i recieve an error like "The trust relationship between this
workstation and the primary domain failed.". I use OpenSuSE 11.3 with
samba 3.5.4-5.1.2 and openldap 2.4.21-9.1.
My config of samba:
[global]
workgroup = MEDIATEST.LOCAL
netbios name = MEDIADC
map to guest = Bad User
passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
log level = 2
printcap name = cups
add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct
--makehomedir --homedir /home/%u -f
delete user script = /usr/sbin/ldapsmb -d -u "%u" -f
add group script = /usr/sbin/ldapsmb -a -g "%g" -f
delete group script = /usr/sbin/ldapsmb -d -g "%g" -f
add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g
"%g" -f
delete user from group script = /usr/sbin/ldapsmb -r -u "%u"
-g
"%g" -f
add machine script = "/usr/sbin/ldapsmb -a -i -wks %u -f"
logon path = \\afs\mediaservice-test.pri\users\%U\.msprofile
logon drive = P:
logon home = \\afs\mediaservice-test.pri\%U\.9xprofile
domain logons = Yes
os level = 99
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = yes
ldap suffix = dc=mediaservice-test,dc=pri
ldap ssl = no
ldap user suffix = ou=people
usershare allow guests = Yes
idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No
[profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
create mask = 0600
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin, root
force group = ntadmin
create mask = 0664
directory mask = 0775
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root
I have modified this registry keys on Windows 7 with no luck:
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters
DWORD RequireSignOrSeal?= 1
DWORD RequireStrongKey= 1
I have also tried to sync the date and time of the server and the client
with the same timeserver.
Here is the smb log:
[2010/09/29 16:00:12.002747, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/29 16:00:12.050876, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/29 16:00:12.051737, 2] lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2010/09/29 16:00:12.055201, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: pasquale-nb$
[2010/09/29 16:00:12.058927, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [PASQUALE-NB$] ->
[PASQUALE-NB$] -> [pasquale-nb$] succeeded
[2010/09/29 16:00:54.035612, 0] lib/util_sock.c:474(read_fd_with_timeout)
[2010/09/29 16:00:54.036172, 0]
lib/util_sock.c:1432(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
[2010/09/29 16:01:37.612787, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/29 16:01:37.614813, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/29 16:01:37.615403, 2] lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2010/09/29 16:01:37.628754, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: pasquale-nb$
[2010/09/29 16:01:37.641996, 2]
../libcli/auth/credentials.c:306(netlogon_creds_server_check_internal)
credentials check failed
[2010/09/29 16:01:37.642095, 0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client PASQUALE-NB machine account PASQUALE-NB$
[2010/09/29 16:01:37.646000, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: pasquale-nb$
[2010/09/29 16:01:37.647148, 2]
../libcli/auth/credentials.c:306(netlogon_creds_server_check_internal)
credentials check failed
[2010/09/29 16:01:37.647215, 0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client PASQUALE-NB machine account PASQUALE-NB$
If can be useful, when i have added the machine to the domain, i have
got an error with the DNS.
Any help is very appreciated.
Cordially,
Claudio Prono.
--
--------------------------------------------------------------------------------
Claudio Prono OPST
System Developer
Gsm: +39-349-54.33.258
@PSS Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc
Hachi
2010-Oct-04 09:24 UTC
[Samba] Problems Windows 7 64 Bit joining a Samba + Ldap domain
Hello Claudio, it might not fit your problem, but i had problems accessing Samba from Win 7 after XP was no problem. It turned out, that Win 7 needs the domain-part, when you log in. So $sambapc\$username as login-name worked. At least it's worth a try. kind regards, Hachi Am 29.09.2010 17:09, schrieb Claudio Prono:> Hello all, > > I am doing some tests with Windows 7 and a Samba Domain, but into a > working SAMBA domain, where windows XP joins without problems, when i > try with 7 i recieve an error like "The trust relationship between this > workstation and the primary domain failed.". I use OpenSuSE 11.3 with > samba 3.5.4-5.1.2 and openldap 2.4.21-9.1. > > My config of samba: > > [global] > workgroup = MEDIATEST.LOCAL > netbios name = MEDIADC > map to guest = Bad User > passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri > log level = 2 > printcap name = cups > add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct > --makehomedir --homedir /home/%u -f > delete user script = /usr/sbin/ldapsmb -d -u "%u" -f > add group script = /usr/sbin/ldapsmb -a -g "%g" -f > delete group script = /usr/sbin/ldapsmb -d -g "%g" -f > add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g "%g" -f > delete user from group script = /usr/sbin/ldapsmb -r -u "%u" -g > "%g" -f > add machine script = "/usr/sbin/ldapsmb -a -i -wks %u -f" > logon path = \\afs\mediaservice-test.pri\users\%U\.msprofile > logon drive = P: > logon home = \\afs\mediaservice-test.pri\%U\.9xprofile > domain logons = Yes > os level = 99 > preferred master = Yes > domain master = Yes > wins support = Yes > ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri > ldap group suffix = ou=group > ldap idmap suffix = ou=Idmap > ldap machine suffix = ou=Machines > ldap passwd sync = yes > ldap suffix = dc=mediaservice-test,dc=pri > ldap ssl = no > ldap user suffix = ou=people > usershare allow guests = Yes > idmap backend = ldap:ldap://afs-test.mediaservice-test.pri > cups options = raw > > [homes] > comment = Home Directories > valid users = %S, %D%w%S > read only = No > inherit acls = Yes > browseable = No > > [profiles] > comment = Network Profiles Service > path = %H > read only = No > create mask = 0600 > directory mask = 0700 > store dos attributes = Yes > > [users] > comment = All users > path = /home > read only = No > inherit acls = Yes > veto files = /aquota.user/groups/shares/ > > [groups] > comment = All groups > path = /home/groups > read only = No > inherit acls = Yes > > [printers] > comment = All Printers > path = /var/tmp > create mask = 0600 > printable = Yes > browseable = No > > [print$] > comment = Printer Drivers > path = /var/lib/samba/drivers > write list = @ntadmin, root > force group = ntadmin > create mask = 0664 > directory mask = 0775 > > [netlogon] > comment = Network Logon Service > path = /var/lib/samba/netlogon > write list = root > > I have modified this registry keys on Windows 7 with no luck: > > HKLM\System\CCS\Services\LanmanWorkstation\Parameters > DWORD DomainCompatibilityMode = 1 > DWORD DNSNameResolutionRequired = 0 > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters > DWORD RequireSignOrSeal?= 1 > DWORD RequireStrongKey= 1 > > I have also tried to sync the date and time of the server and the client > with the same timeserver. > > Here is the smb log: > > [2010/09/29 16:00:12.002747, 2] smbd/sesssetup.c:1390(setup_new_vc_session) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > all old resources. > [2010/09/29 16:00:12.050876, 2] smbd/sesssetup.c:1390(setup_new_vc_session) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > all old resources. > [2010/09/29 16:00:12.051737, 2] lib/smbldap.c:950(smbldap_open_connection) > smbldap_open_connection: connection opened > [2010/09/29 16:00:12.055201, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: pasquale-nb$ > [2010/09/29 16:00:12.058927, 2] auth/auth.c:304(check_ntlm_password) > check_ntlm_password: authentication for user [PASQUALE-NB$] -> > [PASQUALE-NB$] -> [pasquale-nb$] succeeded > [2010/09/29 16:00:54.035612, 0] lib/util_sock.c:474(read_fd_with_timeout) > [2010/09/29 16:00:54.036172, 0] > lib/util_sock.c:1432(get_peer_addr_internal) > getpeername failed. Error was Transport endpoint is not connected > read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by > peer. > [2010/09/29 16:01:37.612787, 2] smbd/sesssetup.c:1390(setup_new_vc_session) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > all old resources. > [2010/09/29 16:01:37.614813, 2] smbd/sesssetup.c:1390(setup_new_vc_session) > setup_new_vc_session: New VC == 0, if NT4.x compatible we would close > all old resources. > [2010/09/29 16:01:37.615403, 2] lib/smbldap.c:950(smbldap_open_connection) > smbldap_open_connection: connection opened > [2010/09/29 16:01:37.628754, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: pasquale-nb$ > [2010/09/29 16:01:37.641996, 2] > ../libcli/auth/credentials.c:306(netlogon_creds_server_check_internal) > credentials check failed > [2010/09/29 16:01:37.642095, 0] > rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. > Rejecting auth request from client PASQUALE-NB machine account PASQUALE-NB$ > [2010/09/29 16:01:37.646000, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: pasquale-nb$ > [2010/09/29 16:01:37.647148, 2] > ../libcli/auth/credentials.c:306(netlogon_creds_server_check_internal) > credentials check failed > [2010/09/29 16:01:37.647215, 0] > rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. > Rejecting auth request from client PASQUALE-NB machine account PASQUALE-NB$ > > > If can be useful, when i have added the machine to the domain, i have > got an error with the DNS. > > Any help is very appreciated. > > Cordially, > > Claudio Prono. > >