thr3ads.net - samba - [Samba] 2:3.6.6-6+deb7u10 -> client use spnego = yes -> The trust relationship between this workstation and the primary domain failed | no -> net rpc -> NT_STATUS_INVALID

If this information is useful, please help other people find it:
Share via:

Jelle de Jong

2016-Dec-16 14:53 UTC

[Samba] 2:3.6.6-6+deb7u10 -> client use spnego = yes -> The trust relationship between this workstation and the primary domain failed | no -> net rpc -> NT_STATUS_INVALID_PARAMETER

Hello everybody,

I am trying to keep my samba pdc working with windows 7 pro clients.

After my upgrade: 2016-12-15 15:10:16 upgrade samba:amd64 
2:3.6.6-6+deb7u7 2:3.6.6-6+deb7u10

Some of the Windows 7 client can not login anymore and respond with:

The trust relationship between this workstation and the primary domain 
failed

Changing the setting client use spnego = no will make the Windows 
clients work again work, but will cause my net rpc commands to fail...

Setting client use spnego = yes will make the rpc commands work but the 
Windows clients will not be able to login.

Please advice?

stayce:~# testparm
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[documenten]"
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[profiles]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
	workgroup = COMPANY
	netbios name = SERVER
	interfaces = lo, br0
	bind interfaces only = Yes
	passdb backend = ldapsam
	log file = /var/log/samba/log.%m
	time server = Yes
	client use spnego = No
	max open files = 17404
	load printers = No
	printcap name = /dev/null
	disable spoolss = Yes
	logon script = netlogon.bat
	logon path = \\%N\profiles\%U
	domain logons = Yes
	os level = 240
	preferred master = Yes
	domain master = Yes
	dns proxy = No
	wins support = Yes
	ldap admin dn = cn=admin,dc=company,dc=nl
	ldap delete dn = Yes
	ldap group suffix = ou=groups
	ldap idmap suffix = ou=idmap
	ldap machine suffix = ou=computers
	ldap passwd sync = yes
	ldap suffix = dc=company,dc=nl
	ldap ssl = no
	ldap user suffix = ou=users
	usershare max shares = 0
	usershare path = /srv/storage/shares
	template homedir = /srv/storage/shares/
	template shell = /bin/bash
	ldapsam:trusted = yes
	ldapsam:editposix = yes
	idmap config * : range = 10000-30000000
	idmap config * : ldap_url = ldap://localhost/
	idmap alloc config : ldap_base_dn = ou=idmap,dc=company,dc=nl
	idmap alloc config : ldap_user_dn = cn=admin,dc=company,dc=nl
	idmap config * : backend = ldap
	printing = bsd
	print command = lpr -r -P'%p' %s
	lpq command = lpq -P'%p'
	lprm command = lprm -P'%p' %j

[documenten]
	path = /srv/storage/shares
	read only = No
	create mask = 0660
	security mask = 0770
	directory mask = 0770
	directory security mask = 0770
	inherit acls = Yes
	map acl inherit = Yes
	hide unreadable = Yes
	store dos attributes = Yes
	vfs objects = recycle
	recycle:keeptree = Yes
	recycle:versions = Yes
	recycle:touch_mtime = Yes

[homes]
	comment = Home Directories
	path = /srv/storage/samba/homes/%U
	read only = No
	inherit acls = Yes
	map acl inherit = Yes
	store dos attributes = Yes
	browseable = No
	root preexec = /usr/local/bin/samba-mkdir-home %U

[netlogon]
	comment = Network Logon Service
	path = /srv/storage/samba/netlogon
	read only = No
	inherit acls = Yes
	map acl inherit = Yes
	store dos attributes = Yes
	browseable = No

[profiles]
	comment = Users profiles
	path = /srv/storage/samba/profiles
	read only = No
	inherit acls = Yes
	profile acls = Yes
	map acl inherit = Yes
	store dos attributes = Yes
	browseable = No






stayce:~# net -d 10 rpc group members "office" -S localhost -U 
Administrator%<secret>
INFO: Current debug levels:
   all: 10
   tdb: 10
   printdrivers: 10
   lanman: 10
   smb: 10
   rpc_parse: 10
   rpc_srv: 10
   rpc_cli: 10
   passdb: 10
   sam: 10
   auth: 10
   winbind: 10
   vfs: 10
   idmap: 10
   quota: 10
   acls: 10
   locking: 10
   msdfs: 10
   dmapi: 10
   registry: 10
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
INFO: Current debug levels:
   all: 10
   tdb: 10
   printdrivers: 10
   lanman: 10
   smb: 10
   rpc_parse: 10
   rpc_srv: 10
   rpc_cli: 10
   passdb: 10
   sam: 10
   auth: 10
   winbind: 10
   vfs: 10
   idmap: 10
   quota: 10
   acls: 10
   locking: 10
   msdfs: 10
   dmapi: 10
   registry: 10
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = COMPANY
doing parameter netbios name = SERVER
handle_netbios_name: set global_myname to: SERVER
doing parameter interfaces = lo, br0
doing parameter bind interfaces only = Yes
doing parameter passdb backend = ldapsam
doing parameter log file = /var/log/samba/log.%m
doing parameter time server = Yes
doing parameter client use spnego = No
doing parameter max open files = 17404
doing parameter load printers = No
doing parameter printcap name = /dev/null
doing parameter disable spoolss = Yes
doing parameter logon script = netlogon.bat
doing parameter logon path = \\%N\profiles\%U
doing parameter domain logons = Yes
doing parameter os level = 240
doing parameter preferred master = Yes
doing parameter domain master = Yes
doing parameter dns proxy = No
doing parameter wins support = Yes
doing parameter ldap admin dn = cn=admin,dc=company,dc=nl
doing parameter ldap delete dn = Yes
doing parameter ldap group suffix = ou=groups
doing parameter ldap idmap suffix = ou=idmap
doing parameter ldap machine suffix = ou=computers
doing parameter ldap passwd sync = yes
doing parameter ldap suffix = dc=company,dc=nl
doing parameter ldap ssl = no
doing parameter ldap user suffix = ou=users
doing parameter usershare max shares = 0
doing parameter usershare path = /srv/storage/shares
doing parameter template homedir = /srv/storage/shares/
doing parameter template shell = /bin/bash
doing parameter idmap alloc config : ldap_user_dn = 
cn=admin,dc=company,dc=nl
doing parameter idmap alloc config : ldap_base_dn = 
ou=idmap,dc=company,dc=nl
doing parameter idmap config * : ldap_url = ldap://localhost/
doing parameter idmap config * : range = 10000-30000000
doing parameter ldapsam:editposix = yes
doing parameter ldapsam:trusted = yes
doing parameter idmap config * : backend = ldap
doing parameter printing = bsd
doing parameter print command = lpr -r -P'%p' %s
doing parameter lpq command = lpq -P'%p'
doing parameter lprm command = lprm -P'%p' %j
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_DOMAIN_PDC
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Netbios name list:-
my_netbios_names[0]="SERVER"
added interface lo ip=::1 bcast=::1 
netmask=ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
added interface lo ip=127.0.0.1 bcast=127.255.255.255 netmask=255.0.0.0
added interface br0 ip=192.168.22.80 bcast=192.168.22.255 
netmask=255.255.255.0
Registered MSG_REQ_POOL_USAGE
Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
Opening cache file at /var/run/samba/gencache.tdb
Opening cache file at /var/run/samba/gencache_notrans.tdb
sitename_fetch: No stored sitename for
internal_resolve_name: looking up localhost#20 (sitename (null))
name localhost#20 found.
remove_duplicate_addrs2: looking for duplicate address/port pairs
Connecting to host=localhost
Running timed event "tevent_req_timedout" 0x7f75783bf2e0
Connecting to 127.0.0.1 at port 445
Socket options:
	SO_KEEPALIVE = 0
	SO_REUSEADDR = 0
	SO_BROADCAST = 0
	TCP_NODELAY = 1
	TCP_KEEPCNT = 9
	TCP_KEEPIDLE = 7200
	TCP_KEEPINTVL = 75
	IPTOS_LOWDELAY = 0
	IPTOS_THROUGHPUT = 0
	SO_SNDBUF = 173400
	SO_RCVBUF = 87380
	SO_SNDLOWAT = 1
	SO_RCVLOWAT = 1
	SO_SNDTIMEO = 0
	SO_RCVTIMEO = 0
	TCP_QUICKACK = 1
Substituting charset 'ANSI_X3.4-1968' for LOCALE
cli_session_setup: NT1 session setup failed: NT_STATUS_INVALID_PARAMETER
failed session setup with NT_STATUS_INVALID_PARAMETER
Could not connect to server localhost
Connection failed: NT_STATUS_INVALID_PARAMETER
failed to make ipc connection: NT_STATUS_INVALID_PARAMETER
return code = -1

Kind regards,

Jelle de Jong

Marc Muehlfeld

2016-Dec-16 16:42 UTC

head link

[Samba] 2:3.6.6-6+deb7u10 -> client use spnego = yes -> The trust relationship between this workstation and the primary domain failed | no -> net rpc -> NT_STATUS_INVALID_PARAMETER

Hello Jelle,

Am 16.12.2016 um 15:53 schrieb Jelle de Jong via samba:> I am trying to keep my samba pdc working with windows 7 pro clients.
> 
> After my upgrade: 2016-12-15 15:10:16 upgrade samba:amd64
> 2:3.6.6-6+deb7u7 2:3.6.6-6+deb7u10

What happens if you upgrade your PDC to a recent Samba version (4.5.2)?
See https://wiki.samba.org/index.php/Samba_Release_Planning

3.6.6 was released in June 2012. And the 3.6 series is unsupported since
March 2015.

Regards,
Marc

Apparently Analagous Threads

Search for more apparently analagous threads

samba - Dec 2016 - 2:3.6.6-6+deb7u10 -> client use spnego = yes -> The trust relationship between this workstation and the primary domain failed | no -> net rpc -> NT_STATUS_INVALID_PARAMETER

[Samba] 2:3.6.6-6+deb7u10 -> client use spnego = yes -> The trust relationship between this workstation and the primary domain failed | no -> net rpc -> NT_STATUS_INVALID_PARAMETER

[Samba] 2:3.6.6-6+deb7u10 -> client use spnego = yes -> The trust relationship between this workstation and the primary domain failed | no -> net rpc -> NT_STATUS_INVALID_PARAMETER

Apparently Analagous Threads