Donny Brooks
2011-Jul-26 16:28 UTC
[Samba] Very odd issue with Win7 and trust relationships
Hello all, We have just concluded a very drawn out test of our domain that is having some trust relationship problems with Windows 7 desktops. Here is a breakdown of our setup: roark PDC running samba 3.4.7 (also has OpenLDAP) on VLAN 2 archives3 BDC running samba 3.4.7 (also has OpenLDAP) on VLAN2 arrowhead BDC "home server" running samba 3.4.3 on VLAN 9 archives4 BDC "home server" running samba 3.2.14 on VLAN8 ocm BDC "home server" running samba 3.3.8 on VLAN8 defiant BDC "soon to be home server" running samba 3.5.8 on VLAN3 pubinfo BDC "home server" running samba 3.5.4 on VLAN3 Ok, so we currently have Windows 7 machines on vlan's 3, 8, and 9. The only ones having issues is the ones on vlan3. This problem started a few weeks ago when we upgraded our core network switches. Only on my workstation and one other are we having this problem as we are the only two that have windows 7 on this vlan. In order to test some possible fixes I setup a new machine with windows 7 to perform all the tests on. Usually when I or the other user have to reboot we have to shut down and power right back up and immediately log back in to get past the trust relationship error. The machines on vlan's 8 and 9 are functioning perfectly with no issues what so ever. I have tried turning samba off on all of the servers on the 3 vlan and logging in to the domain on our test machine. Also have tried only having one at a time running samba. Neither way works as we always get the same error. I can then do nothing but change the vlan on the port the machine is plugged in to and then try to log back in and it works flawlessly every time, reboot, power on/off, or log off/on doesn't matter as they all work every time on a different vlan. We have roughly 50 new pc's with Windows 7 that we are about to deploy and I need to get this fixed before we can do so. Would anyone have any idea where to begin? We are working to upgrade our version of samba on the main PDC and BDC but that will require doing a hand compiled version and we would rather just replace the machines with new ones and that has it's own set of challenges in terms of keeping the domain functioning. Looking at the Windows7 page of the wiki I see this: " If you use older versions, Windows 7 box still can join the Samba Domain but after rebooting, you will receive an error message: "the trust relation between this workstation and the primary domain failed" and no one can logon as any domain user. -- Monyo <http://wiki.samba.org/index.php?title=User:Monyo&action=edit&redlink=1> 16:22, 5 June 2011 (UTC)" But as you can see when on the other vlan's I am not using the latest samba but it works. I am at a loss and need some fresh thoughts on this. I appreciate any and all assistance on this problem. Donny B. MDAH
Donny Brooks
2011-Jul-26 20:45 UTC
[Samba] Very odd issue with Win7 and trust relationships
On 7/26/2011 11:28 AM, Donny Brooks wrote:> Hello all, > > We have just concluded a very drawn out test of our domain that > is having some trust relationship problems with Windows 7 desktops. > Here is a breakdown of our setup: > > roark PDC running samba 3.4.7 (also has OpenLDAP) on VLAN 2 > archives3 BDC running samba 3.4.7 (also has OpenLDAP) on VLAN2 > arrowhead BDC "home server" running samba 3.4.3 on VLAN 9 > archives4 BDC "home server" running samba 3.2.14 on VLAN8 > ocm BDC "home server" running samba 3.3.8 on VLAN8 > defiant BDC "soon to be home server" running samba 3.5.8 on VLAN3 > pubinfo BDC "home server" running samba 3.5.4 on VLAN3 > > Ok, so we currently have Windows 7 machines on vlan's 3, 8, and 9. The > only ones having issues is the ones on vlan3. This problem started a > few weeks ago when we upgraded our core network switches. Only on my > workstation and one other are we having this problem as we are the > only two that have windows 7 on this vlan. In order to test some > possible fixes I setup a new machine with windows 7 to perform all the > tests on. Usually when I or the other user have to reboot we have to > shut down and power right back up and immediately log back in to get > past the trust relationship error. The machines on vlan's 8 and 9 are > functioning perfectly with no issues what so ever. > > I have tried turning samba off on all of the servers on the 3 vlan and > logging in to the domain on our test machine. Also have tried only > having one at a time running samba. Neither way works as we always get > the same error. I can then do nothing but change the vlan on the port > the machine is plugged in to and then try to log back in and it works > flawlessly every time, reboot, power on/off, or log off/on doesn't > matter as they all work every time on a different vlan. > > We have roughly 50 new pc's with Windows 7 that we are about to deploy > and I need to get this fixed before we can do so. Would anyone have > any idea where to begin? We are working to upgrade our version of > samba on the main PDC and BDC but that will require doing a hand > compiled version and we would rather just replace the machines with > new ones and that has it's own set of challenges in terms of keeping > the domain functioning. Looking at the Windows7 page of the wiki I see > this: " > > If you use older versions, Windows 7 box still can join the Samba > Domain but after rebooting, you will receive an error message: "the > trust relation between this workstation and the primary domain failed" > and no one can logon as any domain user. > > -- Monyo > <http://wiki.samba.org/index.php?title=User:Monyo&action=edit&redlink=1> > 16:22, 5 June 2011 (UTC)" > > But as you can see when on the other vlan's I am not using the latest > samba but it works. I am at a loss and need some fresh thoughts on > this. I appreciate any and all assistance on this problem. > > Donny B. > MDAH > >Also, in addition to the above testing we decided to create a new vlan (vlan 11) and put defiant and the test machine on it. Worked flawlessly pulling multiple users profiles from both roark and arrowhead servers. So something is wrong just on vlan 3. This is very odd. A friend suggested to find a .tdb file editor and see if there are any wonky settings in those files. Could anyone suggest a good program to do that?