Oliver R.
2012-Mar-11 13:57 UTC
[Samba] The trust relationship between this workstation and the primary domain failed. (After SAMBA upgrade)
Hi folks
I am writing to this list because Google was unable to provide me with a
solution for my problem
(neither did the samba list archives ; as far as I can see).
I know that the topic "The trust relationship between this workstation
and the primary domain failed."
is not unknown and a lot of people are suffering from it but I have the
feeling that my problem is
different. I am not using SAMBA as DC and try to join Windows 7 to it;
but let me explain.
I had a working configuration which looked as follows:
- Windows 2008 R2 SP1 Domain Controller (Forest functional Level 2008
R2; so highest possible)
(DNS Server, Global Catalog etc. It is only this ONE DC)
- Windows 7 Workstation as a domain member of this domain (Works great;
no Problems)
- SAMBA 3.x running on Fedora 13 (+ updates so not the newest
SAMBA3.5/3.6 releases but somwehere
in the 3.1 - 3.3 releases)
The SAMBA Box was joined to the domain and some directories on the
Fedora box were shared.
I was able to access them from my Windows 7 Box without any problems. So
SAMBA was a perfectc
ADS member.
Everything was running fine until ..................... I decided to
upgrade (reinstall) my box with Fedora 16
The Fedora Box now has the newest SAMBA release
(samba-3.6.3-78.fc16.i686) installed.
I reconfigured SAMBA by
- re-created the same users with the same uid/gid on the box
- configuring DNS as it was before
- copied back /etc/krb5.conf
- copied back /etc/samba/smb.conf and /etc/samba/smbusers
(Basically I used the new smb.conf and replaced the necessary
information.
I have an include file ads.conf for my ADS configuration which I
inject into smb.conf.
So no typos or mssing something)
- Did a: kinit Administrator at MYDOMAIN.COM (successful)
- Did a: net ads join -U Administrator (successful)
- Did a: net ads testjoin (-> Join is OK)
- Did a: smbclient \\\\mydc\\myshare -U Administrator (could access the
share)
(OK. smbclient does not use the local Samba-Daemon but directly
connects to the DC.
So not really a test)
So everyting was as it was before with the execption that when I try to
access the SAMBA box
from my Windows 7 Box I get:
- The trust relationship between this workstation and the primary domain
failed.
- /var/log/samba/log.win7box shows error messages:
[2012/03/11 13:33:07.281548, 0]
rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
cli_rpc_pipe_open_schannel: failed to get schannel session key from
server MYDC.MYDOMAIN.COM for domain MYDOMAIN.
[2012/03/11 13:33:07.281867, 0]
auth/auth_domain.c:193(connect_to_domain_password_server)
connect_to_domain_password_server: unable to open the domain client
session to machine MYDC.MYDOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED.
[2012/03/11 13:33:07.284289, 0]
rpc_client/cli_pipe_schannel.c:184(cli_rpc_pipe_open_schannel)
cli_rpc_pipe_open_schannel: failed to get schannel session key from
server MYDC.MYDOMAIN.COM for domain MYDOMAIN.
[2012/03/11 13:33:07.284665, 0]
auth/auth_domain.c:193(connect_to_domain_password_server)
connect_to_domain_password_server: unable to open the domain client
session to machine MYDC.MYDOMAIN.COM. Error was : NT_STATUS_ACCESS_DENIED.
[2012/03/11 13:33:07.285166, 0]
auth/auth_domain.c:292(domain_client_validate)
domain_client_validate: Domain password server not available.
When I do a Wireshark trace on the Linux system I see the SAMBA Daemon
communicates with
my domain Controller (MYDC) and gets some errors (when accessing the
SAMBA Box from Win 7).
No. Time Source Destination Protocol
Info
9245 45.548203 192.168.1.131 192.168.1.3
SMB Negotiate Protocol Request
9247 45.584079 192.168.1.3 192.168.1.131
SMB Negotiate Protocol Response
9248 45.690020 192.168.1.131 192.168.1.3
SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
9249 45.690874 192.168.1.3 192.168.1.131
SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error:
STATUS_MORE_PROCESSING_REQUIRED
9250 45.691254 192.168.1.131 192.168.1.3
SMB Session Setup AndX Request, NTLMSSP_AUTH, User: MYDOMAIN\Snoopy
9257 45.760270 192.168.1.3 192.168.1.4
SMB Negotiate Protocol Request
9258 45.760989 192.168.1.4 192.168.1.3
SMB Negotiate Protocol Response
9260 45.761266 192.168.1.3 192.168.1.4
SMB Session Setup AndX Request, User: anonymous
9261 45.761586 192.168.1.4 192.168.1.3
SMB Session Setup AndX Response
9262 45.763317 192.168.1.3 192.168.1.4
SMB Tree Connect AndX Request, Path: \\MYDC.MYDOMAIN.COM\IPC$
9264 45.763683 192.168.1.4 192.168.1.3
SMB Tree Connect AndX Response
9265 45.763883 192.168.1.3 192.168.1.4
SMB NT Create AndX Request, Path: \lsarpc
9266 45.764134 192.168.1.4 192.168.1.3
SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_ACCESS_DENIED
9268 45.764254 192.168.1.3 192.168.1.4
SMB Tree Disconnect Request
9269 45.764481 192.168.1.4 192.168.1.3
SMB Tree Disconnect Response
9278 45.775245 192.168.1.3 192.168.1.4
SMB Negotiate Protocol Request
9279 45.775662 192.168.1.4 192.168.1.3
SMB Negotiate Protocol Response
9281 45.775863 192.168.1.3 192.168.1.4
SMB Session Setup AndX Request, User: anonymous
9282 45.776115 192.168.1.4 192.168.1.3
SMB Session Setup AndX Response
9283 45.776662 192.168.1.3 192.168.1.4
SMB Tree Connect AndX Request, Path: \\MYDC.MYDOMAIN.COM\IPC$
9284 45.776921 192.168.1.4 192.168.1.3
SMB Tree Connect AndX Response
9285 45.777358 192.168.1.3 192.168.1.4
SMB NT Create AndX Request, Path: \netlogon
9286 45.777620 192.168.1.4 192.168.1.3
SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_ACCESS_DENIED
9287 45.780066 192.168.1.3 192.168.1.4
SMB Tree Disconnect Request
9288 45.780314 192.168.1.4 192.168.1.3
SMB Tree Disconnect Response
9295 45.782302 192.168.1.3 192.168.1.4
SMB Negotiate Protocol Request
9296 45.782708 192.168.1.4 192.168.1.3
SMB Negotiate Protocol Response
9298 45.783294 192.168.1.3 192.168.1.4
SMB Session Setup AndX Request, User: anonymous
9299 45.783603 192.168.1.4 192.168.1.3
SMB Session Setup AndX Response
9300 45.784193 192.168.1.3 192.168.1.4
SMB Tree Connect AndX Request, Path: \\MYDC.MYDOMAIN.COM\IPC$
9301 45.784452 192.168.1.4 192.168.1.3
SMB Tree Connect AndX Response
9302 45.784908 192.168.1.3 192.168.1.4
SMB NT Create AndX Request, Path: \netlogon
9303 45.785159 192.168.1.4 192.168.1.3
SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_ACCESS_DENIED
9304 45.787376 192.168.1.3 192.168.1.4
SMB Tree Disconnect Request
9305 45.787612 192.168.1.4 192.168.1.3
SMB Tree Disconnect Response
9312 45.789331 192.168.1.3 192.168.1.4
SMB Negotiate Protocol Request
9313 45.789745 192.168.1.4 192.168.1.3
SMB Negotiate Protocol Response
9315 45.790343 192.168.1.3 192.168.1.4
SMB Session Setup AndX Request, User: anonymous
9316 45.790639 192.168.1.4 192.168.1.3
SMB Session Setup AndX Response
9317 45.790780 192.168.1.3 192.168.1.4
SMB Tree Connect AndX Request, Path: \\MYDC.MYDOMAIN.COM\IPC$
9318 45.791088 192.168.1.4 192.168.1.3
SMB Tree Connect AndX Response
9319 45.791217 192.168.1.3 192.168.1.4
SMB NT Create AndX Request, Path: \netlogon
9320 45.791736 192.168.1.4 192.168.1.3
SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_ACCESS_DENIED
9321 45.792332 192.168.1.3 192.168.1.4
SMB Tree Disconnect Request
9322 45.792591 192.168.1.4 192.168.1.3
SMB Tree Disconnect Response
9326 45.793451 192.168.1.3 192.168.1.131
SMB Session Setup AndX Response, Error:
STATUS_TRUSTED_RELATIONSHIP_FAILURE
9327 45.794087 192.168.1.131 192.168.1.3
SMB Session Setup AndX Request, NTLMSSP_NEGOTIATE
9329 45.794328 192.168.1.3 192.168.1.131
SMB Session Setup AndX Response, NTLMSSP_CHALLENGE, Error:
STATUS_MORE_PROCESSING_REQUIRED
9330 45.794581 192.168.1.131 192.168.1.3
SMB Session Setup AndX Request, NTLMSSP_AUTH, User: MYDOMAIN\Snoopy
I have no idea why my configuration is not working anymore on the new
SAMBA version. There must have been
some changes in a later SAMBA release which prevents proper
communication between the SAMBA box and my Windows 2008 R2 DC.
I did not do anything to my Windows Domain and everyting was working
fine before the Fedora upgrade.
Any ideas how to solve this ?
Regards,
Oliver