samba - Feb 2013 - BDC Rejecting auth request from client + Windows 7

Just some background: In our environment, we are running both a PDC and
BDC. The local network setup has static ips on a different subnet from dhcp
ips, thus the PDC has a static ip and the BDC has a dynamic one so the
Windows machines are able to see the domain without hardcoding in the ip of
the PDC as a wins on each machine. This has worked fine for Windows XP. We
are also using ldap as the backend.

Now we have a Windows 7 box and I have followed various instructions and
modified entries within the registry as everyone else has specified. While
I can join the domain, after reboot I get the trust relationship failed
error(or on a rare occasion it will say no logon servers available).
Checking the logs I have mapped out the following:

1. Win7 client asks to join the domain
2. PDC responds and adds machine to ldap
3. Win7 accepts and tests machine account
4. BDC rejects auth request
5. Win7 logs this, but still shows successful join message and reboots
6. Win7 then refused to login on the domain. I can type in gibberish and
still get the trust relationship failed message.

Here is the following from the BDC:

[2013/02/08 13:11:05.458750,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2013/02/08 13:11:05.504483,  2]
../libcli/auth/credentials.c:307(netlogon_creds
_server_check_internal)
  credentials check failed
[2013/02/08 13:11:05.504529,  0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth
enticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth
request from client CLASSROOM machine account CLASSROOM$
[2013/02/08 13:11:05.524195,  2]
../libcli/auth/credentials.c:307(netlogon_creds
_server_check_internal)
  credentials check failed
[2013/02/08 13:11:05.524235,  0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth
enticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth
request from client CLASSROOM machine account CLASSROOM$
[2013/02/08 13:11:15.914207,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2013/02/08 13:11:15.914316,  0]
lib/util_sock.c:1441(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.

I don't quite understand-  why does the BDC have a dynamic IP address.  Or
have a I misunderstood?   The DHCP server can provide the IP of the WINS
servers to DHCP clients.    Are the XP and Win 7 workstations on a separate
subnet than the servers?

What version are the samba servers?    Do both samba server point to a
single LDAP server or do they each have their own LDAP server in
replication?    Does "pdbedit -Lv" show the same accounts on each DC?
Is it possible that the Windows 7 machine accounts have not replicated to
the BDC? 

Have to specificied the ports in the smb.conf file-  by default samba uses
ports 137,138, and 445.  In theory you can disable port 445 (it reduces some
the transport warnings) but I find that causes problems with name resolution
when a router or vpn is involved.   So better off just sticking with the
defaults.   


-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of David Noriega
Sent: Friday, February 08, 2013 1:56 PM
To: samba at lists.samba.org
Subject: [Samba] BDC Rejecting auth request from client + Windows 7

Just some background: In our environment, we are running both a PDC and BDC.
The local network setup has static ips on a different subnet from dhcp ips,
thus the PDC has a static ip and the BDC has a dynamic one so the Windows
machines are able to see the domain without hardcoding in the ip of the PDC
as a wins on each machine. This has worked fine for Windows XP. We are also
using ldap as the backend.

Now we have a Windows 7 box and I have followed various instructions and
modified entries within the registry as everyone else has specified. While I
can join the domain, after reboot I get the trust relationship failed
error(or on a rare occasion it will say no logon servers available).
Checking the logs I have mapped out the following:

1. Win7 client asks to join the domain
2. PDC responds and adds machine to ldap 3. Win7 accepts and tests machine
account 4. BDC rejects auth request 5. Win7 logs this, but still shows
successful join message and reboots 6. Win7 then refused to login on the
domain. I can type in gibberish and still get the trust relationship failed
message.

Here is the following from the BDC:

[2013/02/08 13:11:05.458750,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2013/02/08 13:11:05.504483,  2]
../libcli/auth/credentials.c:307(netlogon_creds
_server_check_internal)
  credentials check failed
[2013/02/08 13:11:05.504529,  0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth
enticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client CLASSROOM machine account CLASSROOM$
[2013/02/08 13:11:05.524195,  2]
../libcli/auth/credentials.c:307(netlogon_creds
_server_check_internal)
  credentials check failed
[2013/02/08 13:11:05.524235,  0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth
enticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client CLASSROOM machine account CLASSROOM$
[2013/02/08 13:11:15.914207,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2013/02/08 13:11:15.914316,  0]
lib/util_sock.c:1441(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
peer.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba