samba - Jan 2011 - [Resolved] Reestablishing trust with PDC

Thanks to both of you - exactly the piece I was missing.

-----Original Message-----
From: tms3 at tms3.com [mailto:tms3 at tms3.com] 
Sent: Monday, January 10, 2011 12:52 PM
To: Christ Schlacta
Cc: samba at lists.samba.org
Subject: Re: [Samba] Reestablishing trust with PDC

>
>
> you haven't tried experimenting with backing up and restoring the 
> samba password cache.  look in /var/*/samba and /var/*/*/samba for 
> files related to the password cache to backup and restore.
If you use LDAP this problem goes away.  If you're using tdb's then
moving
the tdb's and using the same Samba revision should do
it...IIRC
>
>
>
> On 1/10/2011 10:45, Devon Crouse wrote:
>>
>> I often change configurations in a home server environment, and have 
>> scripts to back up all config files etc. - on a fresh OS install I 
>> can quickly restore function of all the services I'm running.
>>
>> I'm using version 3.4.7 as a PDC on Ubuntu with 4 Windows 7
clients.
>> I can
>> restore smb.conf which gets the file shares and server configuration 
>> back, but I lose the trust relationship with the clients and I
can't
>> figure out how to get it back (short of completely clearing all the 
>> profiles and dropping/adding to the domain.)  I'm making the 
>> following assumptions:
>>
>>      - There must be some sort of signature for the Samba/OS 
>> installation that changes
>>      - This signature must be recorded in Windows somewhere for it to 
>> validate the relationship (like known_hosts)
>>
>> I've tried the following in just about every order you can imagine:
>>
>>      - Modifying/removing the profile registry entries in Windows
>>      - Removing/restoring the user directory in Windows
>>      - Removing/restoring the profile.v2 directory in Ubuntu
>>      - Experimenting with various local policy settings in Windows
>>      - Re-adding client to the domain
>>      - Using smbpasswd to recreate the users
>>
>> There must be something I can backup/change to retain/reestablish the 
>> trust relationship without having to scrap all the user profiles?  
>> Thanks in advance - all my reading so far has been of little help.
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

I have the same issue.  The workaround that worked for me is to remove the
computer from the domain and re-join the domain again.  If there is a
permanent fix to this, I would be a happy camper.  It's a waste of time to
remove and re-join the domain every time this issue happens.

I also tried this to no avail: Disabled the machine password change on all
win7 clients by setting

HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
 DisablePasswordChange = dword:1


Thanks in advance.


> Thanks to both of you - exactly the piece I was missing.
>
> -----Original Message-----
> From: tms3 at tms3.com [mailto:tms3 at tms3.com]
> Sent: Monday, January 10, 2011 12:52 PM
> To: Christ Schlacta
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Reestablishing trust with PDC
>
>
>>
>>
>> you haven't tried experimenting with backing up and restoring the
>> samba password cache.  look in /var/*/samba and /var/*/*/samba for
>> files related to the password cache to backup and restore.
>
> If you use LDAP this problem goes away.  If you're using tdb's then
moving
> the tdb's and using the same Samba revision should do it...IIRC
>>
>>
>>
>> On 1/10/2011 10:45, Devon Crouse wrote:
>>>
>>> I often change configurations in a home server environment, and
have
>>> scripts to back up all config files etc. - on a fresh OS install I
>>> can quickly restore function of all the services I'm running.
>>>
>>> I'm using version 3.4.7 as a PDC on Ubuntu with 4 Windows 7
clients.
>>> I can
>>> restore smb.conf which gets the file shares and server
configuration
>>> back, but I lose the trust relationship with the clients and I
can't
>>> figure out how to get it back (short of completely clearing all the
>>> profiles and dropping/adding to the domain.)  I'm making the
>>> following assumptions:
>>>
>>>      - There must be some sort of signature for the Samba/OS
>>> installation that changes
>>>      - This signature must be recorded in Windows somewhere for it
to
>>> validate the relationship (like known_hosts)
>>>
>>> I've tried the following in just about every order you can
imagine:
>>>
>>>      - Modifying/removing the profile registry entries in Windows
>>>      - Removing/restoring the user directory in Windows
>>>      - Removing/restoring the profile.v2 directory in Ubuntu
>>>      - Experimenting with various local policy settings in Windows
>>>      - Re-adding client to the domain
>>>      - Using smbpasswd to recreate the users
>>>
>>> There must be something I can backup/change to retain/reestablish
the
>>> trust relationship without having to scrap all the user profiles?
>>> Thanks in advance - all my reading so far has been of little help.
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Wed, Jan 12, 2011 at 6:24 AM,  <iordonez at berkeley.edu>
wrote:
>
> I also tried this to no avail: Disabled the machine password change on all
> win7 clients by setting
>
> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
> ?DisablePasswordChange = dword:1
If Win 7 is ignoring that setting, it might honor the one which sets the
password change period.

> MaximumPasswordAge determines when the computer password needs to be
changed.
>
> Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
> Value = MaximumPasswordAge REG_DWORD
> Default = 30
> Range = 1 to 1,000,000 (in days)
> Group policy setting:
> Computer Configuration\windows Settings\Security settings\Local
Policies\Security Options
> Domain member: Maximum machine account Password age
> To clear things up, it is 7 days on Windows NT by default, and 30 days on
Windows 2000 and up.
> The trust password follows the same setting. So Trust between two NT 4
domains is 7 days. Trusts between Windows 2000 and up and anything else is 30
days.
>
> So what this means is if 2000 and NT4  trust password is 30 days.
>
> 2000 to 2000 is 30 days.
>
> 2000 to 2003 is 30 days.
>
> 2003 to 2003 is 30 days.

I will give this a shot.  Thanks.

On 1/11/2011 7:00 PM, Taso Hatzi wrote:
> On Wed, Jan 12, 2011 at 6:24 AM,<iordonez at berkeley.edu>  wrote:
>> I also tried this to no avail: Disabled the machine password change on
all
>> win7 clients by setting
>>
>> HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
>>   DisablePasswordChange = dword:1
> If Win 7 is ignoring that setting, it might honor the one which sets the
> password change period.
>
>
>> MaximumPasswordAge determines when the computer password needs to be
changed.
>>
>> Key = HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters
>> Value = MaximumPasswordAge REG_DWORD
>> Default = 30
>> Range = 1 to 1,000,000 (in days)
>> Group policy setting:
>> Computer Configuration\windows Settings\Security settings\Local
Policies\Security Options
>> Domain member: Maximum machine account Password age
>> To clear things up, it is 7 days on Windows NT by default, and 30 days
on Windows 2000 and up.
>> The trust password follows the same setting. So Trust between two NT 4
domains is 7 days. Trusts between Windows 2000 and up and anything else is 30
days.
>>
>> So what this means is if 2000 and NT4  trust password is 30 days.
>>
>> 2000 to 2000 is 30 days.
>>
>> 2000 to 2003 is 30 days.
>>
>> 2003 to 2003 is 30 days.