Alberto Moreno
2017-Apr-18 21:34 UTC
[Samba] Centos 7 Samba3 to Samba4 Migration "Trust Relation Failed"
Hi. I'm testing my migration from my PDC running Centos 5.x Samba3+OpenLDAP. to Centos7 Samba4 OpenLDAP 2.4.40 I had move all my settings and the server has all my users, in console I see all my info. Now, I connect a test machine that was on the same domain but I'm getting the bad message went I try to login with a domain user: 'The trust relation between this workstation and the primary domain failed' This is not good, this domain have about 165 machines. Part of my log from samba(machinename.log) I get this: Returning domain sid for domain MYDOMAIN -> S-1-5-21-805595659-1689854870- 1539857752 [2017/04/18 11:00:57.397034, 2] ../source3/lib/smbldap.c:794( smbldap_open_connection) smbldap_open_connection: connection opened [2017/04/18 11:00:57.398431, 3] ../source3/lib/smbldap.c:1013( smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server [2017/04/18 11:00:57.399420, 2] ../source3/passdb/pdb_ldap.c: 524(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: mbx-c14$ [2017/04/18 11:00:57.403331, 2] ../source3/passdb/pdb_ldap.c: 2310(init_group_from_ldap) init_group_from_ldap: Entry found for group: 515 [2017/04/18 11:00:57.403539, 3] ../source3/rpc_server/samr/ srv_samr_nt.c:2947(_samr_QueryUserInfo) User:[mbx-c14$] [2017/04/18 11:00:57.403605, 3] ../source3/rpc_server/samr/ srv_samr_nt.c:2947(_samr_QueryUserInfo) User:[mbx-c14$] [2017/04/18 11:00:57.403628, 3] ../source3/rpc_server/samr/ srv_samr_nt.c:2650(get_user_info_18) User:[mbx-c14$] 0x80 [2017/04/18 11:00:57.403677, 2] ../libcli/auth/credentials.c: 403(netlogon_creds_server_check_internal) credentials check failed [2017/04/18 11:00:57.403683, 0] ../source3/rpc_server/ netlogon/srv_netlog_nt.c:1007(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client MBX-C14 machine account MBX-C14$ [2017/04/18 11:00:57.404459, 3] ../source3/rpc_server/srv_ pipe.c:1450(api_rpcTNP) api_rpcTNP: rpc command: NETR_SERVERREQCHALLENGE [2017/04/18 11:00:57.405424, 3] ../source3/rpc_server/srv_ pipe.c:1450(api_rpcTNP) api_rpcTNP: rpc command: NETR_SERVERAUTHENTICATE3 [2017/04/18 11:00:57.405546, 2] ../source3/rpc_server/samr/ srv_samr_nt.c:4004(_samr_LookupDomain) Returning domain sid for domain MUEBLEX -> S-1-5-21-805595659-1689854870- 1539857752 [2017/04/18 11:00:57.406023, 2] ../source3/passdb/pdb_ldap.c: 524(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: mbx-c14$ [2017/04/18 11:00:57.406626, 2] ../source3/passdb/pdb_ldap.c: 2310(init_group_from_ldap) init_group_from_ldap: Entry found for group: 515 [2017/04/18 11:00:57.406760, 3] ../source3/rpc_server/samr/ srv_samr_nt.c:2947(_samr_QueryUserInfo) User:[mbx-c14$] [2017/04/18 11:00:57.406802, 3] ../source3/rpc_server/samr/ srv_samr_nt.c:2947(_samr_QueryUserInfo) User:[mbx-c14$] [2017/04/18 11:00:57.406824, 3] ../source3/rpc_server/samr/ srv_samr_nt.c:2650(get_user_info_18) User:[mbx-c14$] 0x80 [2017/04/18 11:00:57.406851, 2] ../libcli/auth/credentials.c: 403(netlogon_creds_server_check_internal) credentials check failed [2017/04/18 11:00:57.406856, 0] ../source3/rpc_server/ netlogon/srv_netlog_nt.c:1007(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client MBX-C14 machine account MBX-C14$ [2017/04/18 11:01:10.746704, 3] ../source3/smbd/service.c:1148(close_cnum) mbx-c14 (ipv4:192.168.2.22:49443) closed connection to service IPC$ [2017/04/18 11:01:10.747766, 3] ../source3/smbd/server_exit.c: 246(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) Daemons running: smb,nmb,slapd,winbind I can query my ldap for my machine: smbldap-usershow mbx-c14$ dn: uid=mbx-c14$,ou=Computers,dc=mydomain,dc=local objectClass: top,account,posixAccount,sambaSamAccount cn: mbx-c14$ uid: mbx-c14$ uidNumber: 1570 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer sambaSID: S-1-5-21-805595659-1689854870-1539857752-1516 displayName: MBX-C14$ sambaAcctFlags: [W ] sambaNTPassword: 3082999B924FC4A964DCF7AA0EF1BDDA sambaPwdLastSet: 1488996103 pdbedit -Lv mbx-c14$ No builtin backend found, trying to load plugin Module 'ldapsam' loaded smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))] smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server init_sam_from_ldap: Entry found for user: mbx-c14$ init_group_from_ldap: Entry found for group: 515 Unix username: mbx-c14$ NT username: mbx-c14$ Account Flags: [W ] User SID: S-1-5-21-805595659-1689854870-1539857752-1516 Primary Group SID: S-1-5-21-805595659-1689854870-1539857752-515 Full Name: MBX-C14$ Home Directory: HomeDir Drive: Logon Script: mbx-c14_.bat Profile Path: Domain: MYDOMAIN Account desc: Computer Workstations: Munged dial: Logon time: 0 Logoff time: never Kickoff time: never Password last set: Wed, 08 Mar 2017 10:01:43 PST Password can change: Wed, 08 Mar 2017 10:01:43 PST Password must change: never Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF My samba config file didn't change to much some settings obsolete. This is my smb,conf: [global] workgroup = MYDOMAIN server string = PDC Domain netbios name = MYDOMAINPDC hosts allow = 192.168.2., 192.168.1., 127., 192.168.20., 192.168.30., 192.168.40., 192.168.50., interfaces = enp3s0 lo0 bind interfaces only = Yes hosts deny = 0.0.0.0 smb ports = 139 445 remote announce = 192.168.2.255 lanman auth = Yes client lanman auth = Yes encrypt passwords = yes passdb backend = ldapsam:ldap://127.0.0.1/ pam password change= Yes passwd program = /usr/bin/passwd %u passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* %nn * passwd:*all*authentication*tokens*updated*successfully* unix password sync = Yes log level = 3 log file = /var/log/samba/%m.log max log size = 2048 name resolve order = wins bcast hosts lmhost time server = No use sendfile = yes map hidden = No map system = No map archive = No map read only = No store dos attributes = Yes Map to Guest = Bad User load printers = No printcap name cups options show add printer wizard = No add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add group script = /usr/sbin/smbldap-groupadd -p %g delete group script = /usr/sbin/smbldap-groupdel %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u add machine script = /usr/sbin/smbldap-useradd -w %u ldap ssl = off ldap passwd sync = Yes ldap suffix = dc=mydomain,dc=local ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=mydomain,dc=local logon script =%U.bat logon path logon path logon home logon drive username map = /etc/samba/usermap preferred master = Yes wins support = Yes winbind nested groups = Yes ea support = Yes domain logons = Yes domain master = Yes local master = Yes map acl inherit = Yes unix charset = UTF8 case sensitive = No [netlogon] comment = Network Logon Service path = /home/samba/netlogon Locking = no [homes] comment = Home Directories valid users = %S read only = No browseable = No [Public] comment = Public Folder path = /opt/public available = Yes browseable = Yes public = Yes read only = No guest ok = Yes writeable = yes create mode = 0775 directory mode = 0775 admin users = root Any tip I will appreciate, thanks. -- LIving the dream...
Alberto Moreno
2017-Apr-20 04:11 UTC
[Samba] Centos 7 Samba3 to Samba4 Migration "Trust Relation Failed"
Any comment about this issue ? :-( On Tue, Apr 18, 2017 at 2:34 PM, Alberto Moreno <portsbsd at gmail.com> wrote:> > Hi. > > I'm testing my migration from my PDC running Centos 5.x Samba3+OpenLDAP. > to Centos7 Samba4 OpenLDAP 2.4.40 > > I had move all my settings and the server has all my users, in console I > see > all my info. > > Now, I connect a test machine that was on the same domain but I'm getting > the bad message went I try to login with a domain user: > > 'The trust relation between this workstation and the primary domain failed' > > This is not good, this domain have about 165 machines. > > Part of my log from samba(machinename.log) I get this: > > Returning domain sid for domain MYDOMAIN -> > S-1-5-21-805595659-1689854870-1539857752 > [2017/04/18 11:00:57.397034, 2] ../source3/lib/smbldap.c:794(s > mbldap_open_connection) > smbldap_open_connection: connection opened > [2017/04/18 11:00:57.398431, 3] ../source3/lib/smbldap.c:1013( > smbldap_connect_system) > ldap_connect_system: successful connection to the LDAP server > [2017/04/18 11:00:57.399420, 2] ../source3/passdb/pdb_ldap.c:5 > 24(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: mbx-c14$ > [2017/04/18 11:00:57.403331, 2] ../source3/passdb/pdb_ldap.c:2 > 310(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 515 > [2017/04/18 11:00:57.403539, 3] ../source3/rpc_server/samr/srv > _samr_nt.c:2947(_samr_QueryUserInfo) > User:[mbx-c14$] > [2017/04/18 11:00:57.403605, 3] ../source3/rpc_server/samr/srv > _samr_nt.c:2947(_samr_QueryUserInfo) > User:[mbx-c14$] > [2017/04/18 11:00:57.403628, 3] ../source3/rpc_server/samr/srv > _samr_nt.c:2650(get_user_info_18) > User:[mbx-c14$] 0x80 > [2017/04/18 11:00:57.403677, 2] ../libcli/auth/credentials.c:4 > 03(netlogon_creds_server_check_internal) > credentials check failed > [2017/04/18 11:00:57.403683, 0] ../source3/rpc_server/netlogon > /srv_netlog_nt.c:1007(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client MBX-C14 machine account MBX-C14$ > [2017/04/18 11:00:57.404459, 3] ../source3/rpc_server/srv_pipe > .c:1450(api_rpcTNP) > api_rpcTNP: rpc command: NETR_SERVERREQCHALLENGE > [2017/04/18 11:00:57.405424, 3] ../source3/rpc_server/srv_pipe > .c:1450(api_rpcTNP) > api_rpcTNP: rpc command: NETR_SERVERAUTHENTICATE3 > [2017/04/18 11:00:57.405546, 2] ../source3/rpc_server/samr/srv > _samr_nt.c:4004(_samr_LookupDomain) > Returning domain sid for domain MUEBLEX -> S-1-5-21-805595659-1689854870- > 1539857752 > [2017/04/18 11:00:57.406023, 2] ../source3/passdb/pdb_ldap.c:5 > 24(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: mbx-c14$ > [2017/04/18 11:00:57.406626, 2] ../source3/passdb/pdb_ldap.c:2 > 310(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 515 > [2017/04/18 11:00:57.406760, 3] ../source3/rpc_server/samr/srv > _samr_nt.c:2947(_samr_QueryUserInfo) > User:[mbx-c14$] > [2017/04/18 11:00:57.406802, 3] ../source3/rpc_server/samr/srv > _samr_nt.c:2947(_samr_QueryUserInfo) > User:[mbx-c14$] > [2017/04/18 11:00:57.406824, 3] ../source3/rpc_server/samr/srv > _samr_nt.c:2650(get_user_info_18) > User:[mbx-c14$] 0x80 > [2017/04/18 11:00:57.406851, 2] ../libcli/auth/credentials.c:4 > 03(netlogon_creds_server_check_internal) > credentials check failed > [2017/04/18 11:00:57.406856, 0] ../source3/rpc_server/netlogon > /srv_netlog_nt.c:1007(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client MBX-C14 machine account MBX-C14$ > [2017/04/18 11:01:10.746704, 3] ../source3/smbd/service.c:1148 > (close_cnum) > mbx-c14 (ipv4:192.168.2.22:49443) closed connection to service IPC$ > [2017/04/18 11:01:10.747766, 3] ../source3/smbd/server_exit.c: > 246(exit_server_common) > Server exit (NT_STATUS_CONNECTION_RESET) > > Daemons running: smb,nmb,slapd,winbind > > I can query my ldap for my machine: > > smbldap-usershow mbx-c14$ > dn: uid=mbx-c14$,ou=Computers,dc=mydomain,dc=local > objectClass: top,account,posixAccount,sambaSamAccount > cn: mbx-c14$ > uid: mbx-c14$ > uidNumber: 1570 > gidNumber: 515 > homeDirectory: /dev/null > loginShell: /bin/false > description: Computer > gecos: Computer > sambaSID: S-1-5-21-805595659-1689854870-1539857752-1516 > displayName: MBX-C14$ > sambaAcctFlags: [W ] > sambaNTPassword: 3082999B924FC4A964DCF7AA0EF1BDDA > sambaPwdLastSet: 1488996103 > > > pdbedit -Lv mbx-c14$ > No builtin backend found, trying to load plugin > Module 'ldapsam' loaded > smbldap_search_domain_info: Searching for:[(&(objectClass> sambaDomain)(sambaDomainName=MYDOMAIN))] > smbldap_open_connection: connection opened > ldap_connect_system: successful connection to the LDAP server > init_sam_from_ldap: Entry found for user: mbx-c14$ > init_group_from_ldap: Entry found for group: 515 > Unix username: mbx-c14$ > NT username: mbx-c14$ > Account Flags: [W ] > User SID: S-1-5-21-805595659-1689854870-1539857752-1516 > Primary Group SID: S-1-5-21-805595659-1689854870-1539857752-515 > Full Name: MBX-C14$ > Home Directory: > HomeDir Drive: > Logon Script: mbx-c14_.bat > Profile Path: > Domain: MYDOMAIN > Account desc: Computer > Workstations: > Munged dial: > Logon time: 0 > Logoff time: never > Kickoff time: never > Password last set: Wed, 08 Mar 2017 10:01:43 PST > Password can change: Wed, 08 Mar 2017 10:01:43 PST > Password must change: never > Last bad password : 0 > Bad password count : 0 > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > My samba config file didn't change to much some settings obsolete. > > This is my smb,conf: > > [global] > workgroup = MYDOMAIN > server string = PDC Domain > netbios name = MYDOMAINPDC > hosts allow = 192.168.2., 192.168.1., 127., 192.168.20., > 192.168.30., 192.168.40., 192.168.50., > interfaces = enp3s0 lo0 > bind interfaces only = Yes > hosts deny = 0.0.0.0 > smb ports = 139 445 > remote announce = 192.168.2.255 > lanman auth = Yes > client lanman auth = Yes > encrypt passwords = yes > passdb backend = ldapsam:ldap://127.0.0.1/ > pam password change= Yes > passwd program = /usr/bin/passwd %u > passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* > %nn * passwd:*all*authentication*tokens*updated*successfully* > unix password sync = Yes > log level = 3 > log file = /var/log/samba/%m.log > max log size = 2048 > name resolve order = wins bcast hosts lmhost > time server = No > use sendfile = yes > map hidden = No > map system = No > map archive = No > map read only = No > store dos attributes = Yes > Map to Guest = Bad User > load printers = No > printcap name > cups options > show add printer wizard = No > add user script = /usr/sbin/smbldap-useradd -m %u > delete user script = /usr/sbin/smbldap-userdel %u > add group script = /usr/sbin/smbldap-groupadd -p %g > delete group script = /usr/sbin/smbldap-groupdel %g > add user to group script = /usr/sbin/smbldap-groupmod -m %u %g > delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g > set primary group script = /usr/sbin/smbldap-usermod -g %g %u > add machine script = /usr/sbin/smbldap-useradd -w %u > ldap ssl = off > ldap passwd sync = Yes > ldap suffix = dc=mydomain,dc=local > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap admin dn = cn=Manager,dc=mydomain,dc=local > logon script =%U.bat > logon path > logon path > logon home > logon drive > username map = /etc/samba/usermap > preferred master = Yes > wins support = Yes > winbind nested groups = Yes > ea support = Yes > domain logons = Yes > domain master = Yes > local master = Yes > map acl inherit = Yes > unix charset = UTF8 > case sensitive = No > > [netlogon] > comment = Network Logon Service > path = /home/samba/netlogon > Locking = no > > [homes] > comment = Home Directories > valid users = %S > read only = No > browseable = No > > [Public] > comment = Public Folder > path = /opt/public > available = Yes > browseable = Yes > public = Yes > read only = No > guest ok = Yes > writeable = yes > create mode = 0775 > directory mode = 0775 > admin users = root > > Any tip I will appreciate, thanks. > -- > LIving the dream... >-- LIving the dream...
Apparently Analagous Threads
- Upgrade/migrate, lost workstation trusts
- domain member server smb won't start
- Samba after upgrade+migration, Win7 workstation trusts lost
- cli_rpc_pipe_open_schannel_with_creds: rpc_pipe_bind failed with error NT_STATUS_RPC_PROTOCOL_ERROR
- Samba4 AD cannot see machines in windows browser