samba - Jul 2011 - Win7 - Samba 3.5.4 trust relationship

Hello all,

I guess that everyone knows the message "the trust relation between this 
workstation and the primary domain failed" when joining Win7 into samba 
domain. Unfortunately, the same problem appeared few hours/days after the 
machine was successfully joined in the domain(with reg keys from 
https://wiki.samba.org/index.php/Windows7) and user able to use it for 
awhile. Then at random intervals, when the user tries to login again, he 
sees the "trust" message and has to type his password 3-5 or more
times
before successful login.

The setup includes PDC and BDC, both running on RHEL (5.5 and 5.6)64bit 
with samba 3.5.4-0.70.el5_6.1 + LDAP(fedora-ds) for user and computer 
authentication.20xWin 7 machines and 500xWinXP(xp has no problems).

I've read about similar symptoms when Win7 tries to change its machine 
password on every 30 days. Therefore some additional regs were added:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"DisablePasswordChange"=dword:00000001
"MaximumPasswordAge"=dword:1000000
and this didn't help. I've compared the machine password values on both 
LDAP servers - they are same and synchronization is working fine.

In the wild, some people report that this issue is fixed when the 
"lmcompatibilitylevel" is limited to LM and NTLM authentication(NTLMv2
if
negotiated), but this couldn't help too.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"lmcompatibilitylevel"=dword:00000001
As I understood from `man 5 smb.conf`, the default Samba behaviour when 
nothing is specified for "client ntlmv2 auth", "client plaintext
auth",
"lanman auth", "client lanman auth" and "ntlm
auth", is to enable only
NTLMv1. Is that correct, because all Win7s can authenticate even with 
NTLMv2 enabled only ?!(it is not password cache ... i tried with new 
username which was never used on the workstation before).

My log options in smb.conf are: log level = 0 auth:10 lanman:10

Here is the log when the user is experiencing the issue:
[2011/06/30 14:31:17.726884,  5] auth/auth_util.c:211(make_user_info_map)
  Mapping user []\[] from workstation [TESTMACHINE]
[2011/06/30 14:31:17.726952,  5] auth/auth_util.c:232(make_user_info_map)
  Mapped domain from [] to [DOMAIN] for user [] from workstation 
[TESTMACHINE]
[2011/06/30 14:31:17.726978,  5] auth/auth_util.c:122(make_user_info)
  attempting to make a user_info for  ()
[2011/06/30 14:31:17.727000,  5] auth/auth_util.c:132(make_user_info)
  making strings for 's user_info struct
[2011/06/30 14:31:17.727021,  5] auth/auth_util.c:164(make_user_info)
  making blobs for 's user_info struct
[2011/06/30 14:31:17.727042, 10] auth/auth_util.c:182(make_user_info)
  made an encrypted user_info for  ()
[2011/06/30 14:31:17.727065,  3] auth/auth.c:216(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user 
[]\[]@[TESTMACHINE] with the new password interface
[2011/06/30 14:31:17.727090,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[]@[TESTMACHINE]
[2011/06/30 14:31:17.727111, 10] auth/auth.c:228(check_ntlm_password)
  check_ntlm_password: auth_context challenge created by random
[2011/06/30 14:31:17.727132, 10] auth/auth.c:230(check_ntlm_password)
  challenge is:
[2011/06/30 14:31:17.767852,  3] auth/auth.c:265(check_ntlm_password)
  check_ntlm_password: guest authentication for user [] succeeded
[2011/06/30 14:31:17.767920,  5] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  guest authentication for user [] -> [] -> [nobody]
succeeded
[2011/06/30 14:31:17.767943,  5] auth/auth_util.c:2119(free_user_info)
  attempting to free (and zero) a user_info structure
[2011/06/30 14:31:17.767965, 10] auth/auth_util.c:2123(free_user_info)
  structure was created for
[2011/06/30 14:31:17.772407, 10] auth/auth_util.c:753(create_local_token)
  Could not convert SID S-1-1-0 to gid, ignoring it
[2011/06/30 14:31:17.773632, 10] auth/auth_util.c:753(create_local_token)
  Could not convert SID S-1-5-2 to gid, ignoring it
[2011/06/30 14:31:17.774822, 10] auth/auth_util.c:753(create_local_token)
  Could not convert SID S-1-5-32-546 to gid, ignoring it
[2011/06/30 14:31:17.774906, 10] 
auth/token_util.c:531(debug_nt_user_token)
  NT user token of user S-1-5-21-3341649654-3636416974-85384702-501
  contains 5 SIDs
  SID[  0]: S-1-5-21-3341649654-3636416974-85384702-501
  SID[  1]: S-1-1-0
  SID[  2]: S-1-5-2
  SID[  3]: S-1-5-32-546
  SID[  4]: S-1-22-1-99
  SE_PRIV  0x0 0x0 0x0 0x0
[2011/06/30 14:31:17.774996, 10] 
auth/token_util.c:551(debug_unix_user_token)
  UNIX token of user 99
  Primary group is 99 and contains 0 supplementary groups
[2011/06/30 14:31:17.785859,  0] 
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting 
auth request from client TESTMACHINE machine account TESTMACHINE$
[2011/06/30 14:31:25.321099,  5] 
auth/auth.c:481(make_auth_context_subsystem)
  Making default auth method list for DC, security=user, encrypt passwords 
= yes

After a few tries we successfully login:
[2011/06/30 14:31:25.322605, 10] auth/auth_util.c:182(make_user_info)
  made an encrypted user_info for TESTMACHINE$ (TESTMACHINE$)
[2011/06/30 14:31:25.322626,  3] auth/auth.c:216(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user 
[DOMAIN]\[TESTMACHINE$]@[TESTMACHINE] with the new password interface
[2011/06/30 14:31:25.322651,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is: 
[DOMAIN]\[TESTMACHINE$]@[TESTMACHINE]
[2011/06/30 14:31:25.322672, 10] auth/auth.c:228(check_ntlm_password)
  check_ntlm_password: auth_context challenge created by NTLMSSP callback 
(NTLM2)
[2011/06/30 14:31:25.322693, 10] auth/auth.c:230(check_ntlm_password)
  challenge is:
[2011/06/30 14:31:25.322717, 10] auth/auth.c:256(check_ntlm_password)
  check_ntlm_password: guest had nothing to say
[2011/06/30 14:31:25.327291,  4] auth/auth_sam.c:180(sam_account_ok)
  sam_account_ok: Checking SMB password for user TESTMACHINE$
[2011/06/30 14:31:25.327439,  5] auth/auth_sam.c:162(logon_hours_ok)
  logon_hours_ok: user TESTMACHINE$ allowed to logon at this time (Thu Jun 
30 11:31:25 2011
  )
[2011/06/30 14:31:25.382399,  5] 
auth/auth_util.c:649(make_server_info_sam)
  make_server_info_sam: made server info for user TESTMACHINE$ -> 
TESTMACHINE$
[2011/06/30 14:31:25.382496,  3] auth/auth.c:265(check_ntlm_password)
  check_ntlm_password: sam authentication for user [TESTMACHINE$] 
succeeded
[2011/06/30 14:31:25.382541,  5] auth/auth.c:291(check_ntlm_password)
  check_ntlm_password:  PAM Account for user [TESTMACHINE$] succeeded
[2011/06/30 14:31:25.382572,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [TESTMACHINE$] -> 
[TESTMACHINE$] -> [TESTMACHINE$] succeeded
[2011/06/30 14:31:25.382643,  5] auth/auth_util.c:2119(free_user_info)
  attempting to free (and zero) a user_info structure
[2011/06/30 14:31:25.382665, 10] auth/auth_util.c:2123(free_user_info)
  structure was created for TESTMACHINE$
[2011/06/30 14:31:25.386736, 10] auth/auth_util.c:753(create_local_token)
  Could not convert SID S-1-1-0 to gid, ignoring it
[2011/06/30 14:31:25.387737, 10] auth/auth_util.c:753(create_local_token)
  Could not convert SID S-1-5-2 to gid, ignoring it
[2011/06/30 14:31:25.388766, 10] auth/auth_util.c:753(create_local_token)
  Could not convert SID S-1-5-11 to gid, ignoring it
[2011/06/30 14:31:25.388853, 10] 
auth/token_util.c:531(debug_nt_user_token)
  NT user token of user S-1-5-21-3341649654-3636416974-85384702-67110721
  contains 7 SIDs
  SID[  0]: S-1-5-21-3341649654-3636416974-85384702-67110721
  SID[  1]: S-1-5-21-3341649654-3636416974-85384702-515
  SID[  2]: S-1-1-0
  SID[  3]: S-1-5-2
  SID[  4]: S-1-5-11
  SID[  5]: S-1-22-1-7016
  SID[  6]: S-1-22-2-515
  SE_PRIV  0x0 0x0 0x0 0x0
[2011/06/30 14:31:25.388963, 10] 
auth/token_util.c:551(debug_unix_user_token)
  UNIX token of user 7016
  Primary group is 515 and contains 1 supplementary groups
  Group[  0]: 515
[2011/06/30 14:31:25.428362,  5] 
auth/auth.c:481(make_auth_context_subsystem)
  Making default auth method list for DC, security=user, encrypt passwords 
= yes
[2011/06/30 14:31:25.428435,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match guest
[2011/06/30 14:31:25.428461,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method guest has a valid init
[2011/06/30 14:31:25.428484,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match sam
[2011/06/30 14:31:25.428506,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method sam has a valid init
[2011/06/30 14:31:25.428527,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match 
winbind:trustdomain
[2011/06/30 14:31:25.428549,  5] auth/auth.c:383(load_auth_module)
  load_auth_module: Attempting to find an auth method to match trustdomain
[2011/06/30 14:31:25.428581,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method trustdomain has a valid init
[2011/06/30 14:31:25.428602,  5] auth/auth.c:408(load_auth_module)
  load_auth_module: auth method winbind has a valid init
[2011/06/30 14:31:25.428624,  5] auth/auth.c:97(get_ntlm_challenge)
  auth_get_challenge: module guest did not want to specify a challenge
[2011/06/30 14:31:25.428645,  5] auth/auth.c:97(get_ntlm_challenge)
  auth_get_challenge: module sam did not want to specify a challenge
[2011/06/30 14:31:25.428666,  5] auth/auth.c:97(get_ntlm_challenge)
  auth_get_challenge: module winbind did not want to specify a challenge
[2011/06/30 14:31:25.428694,  5] auth/auth.c:132(get_ntlm_challenge)
  auth_context challenge created by random
[2011/06/30 14:31:25.428717,  5] auth/auth.c:133(get_ntlm_challenge)
  challenge is:
[2011/06/30 14:31:25.429072,  5] auth/auth_util.c:211(make_user_info_map)
  Mapping user [DOMAIN]\[dichev] from workstation [TESTMACHINE]
[2011/06/30 14:31:25.429097,  5] auth/auth_util.c:122(make_user_info)
  attempting to make a user_info for dichev (dichev)
[2011/06/30 14:31:25.429119,  5] auth/auth_util.c:132(make_user_info)
  making strings for dichev's user_info struct
[2011/06/30 14:31:25.429141,  5] auth/auth_util.c:164(make_user_info)
  making blobs for dichev's user_info struct
[2011/06/30 14:31:25.429162, 10] auth/auth_util.c:182(make_user_info)
  made an encrypted user_info for dichev (dichev)
[2011/06/30 14:31:25.429184,  3] auth/auth.c:216(check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user 
[DOMAIN]\[dichev]@[TESTMACHINE] with the new password interface
[2011/06/30 14:31:25.429209,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[dichev]@[TESTMACHINE]
[2011/06/30 14:31:25.429265, 10] auth/auth.c:228(check_ntlm_password)
  check_ntlm_password: auth_context challenge created by random
[2011/06/30 14:31:25.429287, 10] auth/auth.c:230(check_ntlm_password)
  challenge is:
[2011/06/30 14:31:25.429314, 10] auth/auth.c:256(check_ntlm_password)
  check_ntlm_password: guest had nothing to say
[2011/06/30 14:31:25.431988,  4] auth/auth_sam.c:180(sam_account_ok)
  sam_account_ok: Checking SMB password for user dichev
[2011/06/30 14:31:25.432048,  5] auth/auth_sam.c:162(logon_hours_ok)
  logon_hours_ok: user dichev allowed to logon at this time (Thu Jun 30 
11:31:25 2011)
[2011/06/30 14:31:25.438531,  5] 
auth/auth_util.c:649(make_server_info_sam)
  make_server_info_sam: made server info for user dichev -> dichev
[2011/06/30 14:31:25.438636,  3] auth/auth.c:265(check_ntlm_password)
  check_ntlm_password: sam authentication for user [dichev] succeeded
[2011/06/30 14:31:25.438679,  5] auth/auth.c:291(check_ntlm_password)
  check_ntlm_password:  PAM Account for user [dichev] succeeded
[2011/06/30 14:31:25.438701,  2] auth/auth.c:304(check_ntlm_password)
  check_ntlm_password:  authentication for user [dichev] -> [dichev] -> 
[dichev] succeeded
[2011/06/30 14:31:25.438726,  5] auth/auth_util.c:2119(free_user_info)
  attempting to free (and zero) a user_info structure
[2011/06/30 14:31:25.438747, 10] auth/auth_util.c:2123(free_user_info)



It seems that in the first(the bad) request the machine does not report 
the domain name and its machine name ... don't know why.


All ideas appreciated !!

tks

Ivan Dichev

Hi Ivan!

Thats unfortunately correct. Win7 changes the machine password 
automatically every xx days (randomly - max 30 days)
- that does not work.

You have to set the registry key to avoid that change:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
"DisablePasswordChange"=dword:00000001

regards
Martin
> It seems that in the first(the bad) request the machine does not report
> the domain name and its machine name ... don't know why.
>
>
> All ideas appreciated !!
>
> tks
>
> Ivan Dichev

>Should all this go into
>http://wiki.samba.org/index.php/Windows7
>?
Unfortunately, after I added [X] flag, we still have the same errors and 
Win7 continues to complain for its trust relationship.
To summarize: all machines have policy not to update their passwords. The 
password age was extended to 1000000 days.  Didn't help.

Some people report that the machine name in Samba and on the workstation 
itself, should be written with same cases - upper or lower only(you 
decide). This is not my problem too.

The worst thing is that there are many posts like these below and we don't 
have any or single solution... so maybe we see same error for group of 
problems..
http://samba.2283325.n4.nabble.com/Windows-7-Samba-domain-issues-td2437558.html
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,18/func,view/id,7361/
(I spoke personally with AndyL .. its not working)


So.. the [X] does not deserve to be on the wiki :)

Ivan