Alberto Moreno
2017-Apr-18 21:34 UTC
[Samba] Centos 7 Samba3 to Samba4 Migration "Trust Relation Failed"
Hi.
I'm testing my migration from my PDC running Centos 5.x Samba3+OpenLDAP.
to Centos7 Samba4 OpenLDAP 2.4.40
I had move all my settings and the server has all my users, in console I see
all my info.
Now, I connect a test machine that was on the same domain but I'm getting
the bad message went I try to login with a domain user:
'The trust relation between this workstation and the primary domain
failed'
This is not good, this domain have about 165 machines.
Part of my log from samba(machinename.log) I get this:
Returning domain sid for domain MYDOMAIN -> S-1-5-21-805595659-1689854870-
1539857752
[2017/04/18 11:00:57.397034, 2] ../source3/lib/smbldap.c:794(
smbldap_open_connection)
smbldap_open_connection: connection opened
[2017/04/18 11:00:57.398431, 3] ../source3/lib/smbldap.c:1013(
smbldap_connect_system)
ldap_connect_system: successful connection to the LDAP server
[2017/04/18 11:00:57.399420, 2] ../source3/passdb/pdb_ldap.c:
524(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: mbx-c14$
[2017/04/18 11:00:57.403331, 2] ../source3/passdb/pdb_ldap.c:
2310(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 515
[2017/04/18 11:00:57.403539, 3] ../source3/rpc_server/samr/
srv_samr_nt.c:2947(_samr_QueryUserInfo)
User:[mbx-c14$]
[2017/04/18 11:00:57.403605, 3] ../source3/rpc_server/samr/
srv_samr_nt.c:2947(_samr_QueryUserInfo)
User:[mbx-c14$]
[2017/04/18 11:00:57.403628, 3] ../source3/rpc_server/samr/
srv_samr_nt.c:2650(get_user_info_18)
User:[mbx-c14$] 0x80
[2017/04/18 11:00:57.403677, 2] ../libcli/auth/credentials.c:
403(netlogon_creds_server_check_internal)
credentials check failed
[2017/04/18 11:00:57.403683, 0] ../source3/rpc_server/
netlogon/srv_netlog_nt.c:1007(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client MBX-C14 machine account MBX-C14$
[2017/04/18 11:00:57.404459, 3] ../source3/rpc_server/srv_
pipe.c:1450(api_rpcTNP)
api_rpcTNP: rpc command: NETR_SERVERREQCHALLENGE
[2017/04/18 11:00:57.405424, 3] ../source3/rpc_server/srv_
pipe.c:1450(api_rpcTNP)
api_rpcTNP: rpc command: NETR_SERVERAUTHENTICATE3
[2017/04/18 11:00:57.405546, 2] ../source3/rpc_server/samr/
srv_samr_nt.c:4004(_samr_LookupDomain)
Returning domain sid for domain MUEBLEX -> S-1-5-21-805595659-1689854870-
1539857752
[2017/04/18 11:00:57.406023, 2] ../source3/passdb/pdb_ldap.c:
524(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: mbx-c14$
[2017/04/18 11:00:57.406626, 2] ../source3/passdb/pdb_ldap.c:
2310(init_group_from_ldap)
init_group_from_ldap: Entry found for group: 515
[2017/04/18 11:00:57.406760, 3] ../source3/rpc_server/samr/
srv_samr_nt.c:2947(_samr_QueryUserInfo)
User:[mbx-c14$]
[2017/04/18 11:00:57.406802, 3] ../source3/rpc_server/samr/
srv_samr_nt.c:2947(_samr_QueryUserInfo)
User:[mbx-c14$]
[2017/04/18 11:00:57.406824, 3] ../source3/rpc_server/samr/
srv_samr_nt.c:2650(get_user_info_18)
User:[mbx-c14$] 0x80
[2017/04/18 11:00:57.406851, 2] ../libcli/auth/credentials.c:
403(netlogon_creds_server_check_internal)
credentials check failed
[2017/04/18 11:00:57.406856, 0] ../source3/rpc_server/
netlogon/srv_netlog_nt.c:1007(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client MBX-C14 machine account MBX-C14$
[2017/04/18 11:01:10.746704, 3] ../source3/smbd/service.c:1148(close_cnum)
mbx-c14 (ipv4:192.168.2.22:49443) closed connection to service IPC$
[2017/04/18 11:01:10.747766, 3] ../source3/smbd/server_exit.c:
246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
Daemons running: smb,nmb,slapd,winbind
I can query my ldap for my machine:
smbldap-usershow mbx-c14$
dn: uid=mbx-c14$,ou=Computers,dc=mydomain,dc=local
objectClass: top,account,posixAccount,sambaSamAccount
cn: mbx-c14$
uid: mbx-c14$
uidNumber: 1570
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-805595659-1689854870-1539857752-1516
displayName: MBX-C14$
sambaAcctFlags: [W ]
sambaNTPassword: 3082999B924FC4A964DCF7AA0EF1BDDA
sambaPwdLastSet: 1488996103
pdbedit -Lv mbx-c14$
No builtin backend found, trying to load plugin
Module 'ldapsam' loaded
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: mbx-c14$
init_group_from_ldap: Entry found for group: 515
Unix username: mbx-c14$
NT username: mbx-c14$
Account Flags: [W ]
User SID: S-1-5-21-805595659-1689854870-1539857752-1516
Primary Group SID: S-1-5-21-805595659-1689854870-1539857752-515
Full Name: MBX-C14$
Home Directory:
HomeDir Drive:
Logon Script: mbx-c14_.bat
Profile Path:
Domain: MYDOMAIN
Account desc: Computer
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Wed, 08 Mar 2017 10:01:43 PST
Password can change: Wed, 08 Mar 2017 10:01:43 PST
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
My samba config file didn't change to much some settings obsolete.
This is my smb,conf:
[global]
workgroup = MYDOMAIN
server string = PDC Domain
netbios name = MYDOMAINPDC
hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
192.168.30., 192.168.40., 192.168.50.,
interfaces = enp3s0 lo0
bind interfaces only = Yes
hosts deny = 0.0.0.0
smb ports = 139 445
remote announce = 192.168.2.255
lanman auth = Yes
client lanman auth = Yes
encrypt passwords = yes
passdb backend = ldapsam:ldap://127.0.0.1/
pam password change= Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password*
%nn * passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
log level = 3
log file = /var/log/samba/%m.log
max log size = 2048
name resolve order = wins bcast hosts lmhost
time server = No
use sendfile = yes
map hidden = No
map system = No
map archive = No
map read only = No
store dos attributes = Yes
Map to Guest = Bad User
load printers = No
printcap name cups options show add printer wizard = No
add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u
ldap ssl = off
ldap passwd sync = Yes
ldap suffix = dc=mydomain,dc=local
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=mydomain,dc=local
logon script =%U.bat
logon path logon path logon home logon drive
username map = /etc/samba/usermap
preferred master = Yes
wins support = Yes
winbind nested groups = Yes
ea support = Yes
domain logons = Yes
domain master = Yes
local master = Yes
map acl inherit = Yes
unix charset = UTF8
case sensitive = No
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
Locking = no
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[Public]
comment = Public Folder
path = /opt/public
available = Yes
browseable = Yes
public = Yes
read only = No
guest ok = Yes
writeable = yes
create mode = 0775
directory mode = 0775
admin users = root
Any tip I will appreciate, thanks.
--
LIving the dream...
Alberto Moreno
2017-Apr-20 04:11 UTC
[Samba] Centos 7 Samba3 to Samba4 Migration "Trust Relation Failed"
Any comment about this issue ? :-( On Tue, Apr 18, 2017 at 2:34 PM, Alberto Moreno <portsbsd at gmail.com> wrote:> > Hi. > > I'm testing my migration from my PDC running Centos 5.x Samba3+OpenLDAP. > to Centos7 Samba4 OpenLDAP 2.4.40 > > I had move all my settings and the server has all my users, in console I > see > all my info. > > Now, I connect a test machine that was on the same domain but I'm getting > the bad message went I try to login with a domain user: > > 'The trust relation between this workstation and the primary domain failed' > > This is not good, this domain have about 165 machines. > > Part of my log from samba(machinename.log) I get this: > > Returning domain sid for domain MYDOMAIN -> > S-1-5-21-805595659-1689854870-1539857752 > [2017/04/18 11:00:57.397034, 2] ../source3/lib/smbldap.c:794(s > mbldap_open_connection) > smbldap_open_connection: connection opened > [2017/04/18 11:00:57.398431, 3] ../source3/lib/smbldap.c:1013( > smbldap_connect_system) > ldap_connect_system: successful connection to the LDAP server > [2017/04/18 11:00:57.399420, 2] ../source3/passdb/pdb_ldap.c:5 > 24(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: mbx-c14$ > [2017/04/18 11:00:57.403331, 2] ../source3/passdb/pdb_ldap.c:2 > 310(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 515 > [2017/04/18 11:00:57.403539, 3] ../source3/rpc_server/samr/srv > _samr_nt.c:2947(_samr_QueryUserInfo) > User:[mbx-c14$] > [2017/04/18 11:00:57.403605, 3] ../source3/rpc_server/samr/srv > _samr_nt.c:2947(_samr_QueryUserInfo) > User:[mbx-c14$] > [2017/04/18 11:00:57.403628, 3] ../source3/rpc_server/samr/srv > _samr_nt.c:2650(get_user_info_18) > User:[mbx-c14$] 0x80 > [2017/04/18 11:00:57.403677, 2] ../libcli/auth/credentials.c:4 > 03(netlogon_creds_server_check_internal) > credentials check failed > [2017/04/18 11:00:57.403683, 0] ../source3/rpc_server/netlogon > /srv_netlog_nt.c:1007(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client MBX-C14 machine account MBX-C14$ > [2017/04/18 11:00:57.404459, 3] ../source3/rpc_server/srv_pipe > .c:1450(api_rpcTNP) > api_rpcTNP: rpc command: NETR_SERVERREQCHALLENGE > [2017/04/18 11:00:57.405424, 3] ../source3/rpc_server/srv_pipe > .c:1450(api_rpcTNP) > api_rpcTNP: rpc command: NETR_SERVERAUTHENTICATE3 > [2017/04/18 11:00:57.405546, 2] ../source3/rpc_server/samr/srv > _samr_nt.c:4004(_samr_LookupDomain) > Returning domain sid for domain MUEBLEX -> S-1-5-21-805595659-1689854870- > 1539857752 > [2017/04/18 11:00:57.406023, 2] ../source3/passdb/pdb_ldap.c:5 > 24(init_sam_from_ldap) > init_sam_from_ldap: Entry found for user: mbx-c14$ > [2017/04/18 11:00:57.406626, 2] ../source3/passdb/pdb_ldap.c:2 > 310(init_group_from_ldap) > init_group_from_ldap: Entry found for group: 515 > [2017/04/18 11:00:57.406760, 3] ../source3/rpc_server/samr/srv > _samr_nt.c:2947(_samr_QueryUserInfo) > User:[mbx-c14$] > [2017/04/18 11:00:57.406802, 3] ../source3/rpc_server/samr/srv > _samr_nt.c:2947(_samr_QueryUserInfo) > User:[mbx-c14$] > [2017/04/18 11:00:57.406824, 3] ../source3/rpc_server/samr/srv > _samr_nt.c:2650(get_user_info_18) > User:[mbx-c14$] 0x80 > [2017/04/18 11:00:57.406851, 2] ../libcli/auth/credentials.c:4 > 03(netlogon_creds_server_check_internal) > credentials check failed > [2017/04/18 11:00:57.406856, 0] ../source3/rpc_server/netlogon > /srv_netlog_nt.c:1007(_netr_ServerAuthenticate3) > _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting > auth request from client MBX-C14 machine account MBX-C14$ > [2017/04/18 11:01:10.746704, 3] ../source3/smbd/service.c:1148 > (close_cnum) > mbx-c14 (ipv4:192.168.2.22:49443) closed connection to service IPC$ > [2017/04/18 11:01:10.747766, 3] ../source3/smbd/server_exit.c: > 246(exit_server_common) > Server exit (NT_STATUS_CONNECTION_RESET) > > Daemons running: smb,nmb,slapd,winbind > > I can query my ldap for my machine: > > smbldap-usershow mbx-c14$ > dn: uid=mbx-c14$,ou=Computers,dc=mydomain,dc=local > objectClass: top,account,posixAccount,sambaSamAccount > cn: mbx-c14$ > uid: mbx-c14$ > uidNumber: 1570 > gidNumber: 515 > homeDirectory: /dev/null > loginShell: /bin/false > description: Computer > gecos: Computer > sambaSID: S-1-5-21-805595659-1689854870-1539857752-1516 > displayName: MBX-C14$ > sambaAcctFlags: [W ] > sambaNTPassword: 3082999B924FC4A964DCF7AA0EF1BDDA > sambaPwdLastSet: 1488996103 > > > pdbedit -Lv mbx-c14$ > No builtin backend found, trying to load plugin > Module 'ldapsam' loaded > smbldap_search_domain_info: Searching for:[(&(objectClass> sambaDomain)(sambaDomainName=MYDOMAIN))] > smbldap_open_connection: connection opened > ldap_connect_system: successful connection to the LDAP server > init_sam_from_ldap: Entry found for user: mbx-c14$ > init_group_from_ldap: Entry found for group: 515 > Unix username: mbx-c14$ > NT username: mbx-c14$ > Account Flags: [W ] > User SID: S-1-5-21-805595659-1689854870-1539857752-1516 > Primary Group SID: S-1-5-21-805595659-1689854870-1539857752-515 > Full Name: MBX-C14$ > Home Directory: > HomeDir Drive: > Logon Script: mbx-c14_.bat > Profile Path: > Domain: MYDOMAIN > Account desc: Computer > Workstations: > Munged dial: > Logon time: 0 > Logoff time: never > Kickoff time: never > Password last set: Wed, 08 Mar 2017 10:01:43 PST > Password can change: Wed, 08 Mar 2017 10:01:43 PST > Password must change: never > Last bad password : 0 > Bad password count : 0 > Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF > > My samba config file didn't change to much some settings obsolete. > > This is my smb,conf: > > [global] > workgroup = MYDOMAIN > server string = PDC Domain > netbios name = MYDOMAINPDC > hosts allow = 192.168.2., 192.168.1., 127., 192.168.20., > 192.168.30., 192.168.40., 192.168.50., > interfaces = enp3s0 lo0 > bind interfaces only = Yes > hosts deny = 0.0.0.0 > smb ports = 139 445 > remote announce = 192.168.2.255 > lanman auth = Yes > client lanman auth = Yes > encrypt passwords = yes > passdb backend = ldapsam:ldap://127.0.0.1/ > pam password change= Yes > passwd program = /usr/bin/passwd %u > passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password* > %nn * passwd:*all*authentication*tokens*updated*successfully* > unix password sync = Yes > log level = 3 > log file = /var/log/samba/%m.log > max log size = 2048 > name resolve order = wins bcast hosts lmhost > time server = No > use sendfile = yes > map hidden = No > map system = No > map archive = No > map read only = No > store dos attributes = Yes > Map to Guest = Bad User > load printers = No > printcap name > cups options > show add printer wizard = No > add user script = /usr/sbin/smbldap-useradd -m %u > delete user script = /usr/sbin/smbldap-userdel %u > add group script = /usr/sbin/smbldap-groupadd -p %g > delete group script = /usr/sbin/smbldap-groupdel %g > add user to group script = /usr/sbin/smbldap-groupmod -m %u %g > delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g > set primary group script = /usr/sbin/smbldap-usermod -g %g %u > add machine script = /usr/sbin/smbldap-useradd -w %u > ldap ssl = off > ldap passwd sync = Yes > ldap suffix = dc=mydomain,dc=local > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap admin dn = cn=Manager,dc=mydomain,dc=local > logon script =%U.bat > logon path > logon path > logon home > logon drive > username map = /etc/samba/usermap > preferred master = Yes > wins support = Yes > winbind nested groups = Yes > ea support = Yes > domain logons = Yes > domain master = Yes > local master = Yes > map acl inherit = Yes > unix charset = UTF8 > case sensitive = No > > [netlogon] > comment = Network Logon Service > path = /home/samba/netlogon > Locking = no > > [homes] > comment = Home Directories > valid users = %S > read only = No > browseable = No > > [Public] > comment = Public Folder > path = /opt/public > available = Yes > browseable = Yes > public = Yes > read only = No > guest ok = Yes > writeable = yes > create mode = 0775 > directory mode = 0775 > admin users = root > > Any tip I will appreciate, thanks. > -- > LIving the dream... >-- LIving the dream...
Possibly Parallel Threads
- Upgrade/migrate, lost workstation trusts
- domain member server smb won't start
- Samba after upgrade+migration, Win7 workstation trusts lost
- cli_rpc_pipe_open_schannel_with_creds: rpc_pipe_bind failed with error NT_STATUS_RPC_PROTOCOL_ERROR
- Samba4 AD cannot see machines in windows browser