From: nf-vale on
Make sure that this settings are as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
“RequireSignOrSeal”=dword:00000001
“RequireStrongKey”=dword:00000001

It helped solve a problem like the one you're having.

On Thursday 14 January 2010 09:27:08 Richard Basch wrote:
> I have been going through all the Wikis and various Google searches to try
> to solve my problem, all to no avail.
>
> I can mount a Samba share, but whenever I try to login using a domain
> account, I receive an error about "The trust relationship between this
> workstation and the primary domain failed."
>
> What I have done so far, all to no avail.
> - Upgraded from Samba 3.4.2 to Samba 3.4.4 (under OpenSUSE 11.2)
> - Edited the registry settings on my Windows 7 client
> HKLM\System\CCS\Services\LanmanWorkstation\Parameters
> DWORD DomainCompatibilityMode = 1
> DWORD DNSNameResolutionRequired = 0
> (I also tried reducing the security requirements for signing & encryption,
> but have read this is not required with current versions of Samba.)
>
> (And, I am running Windows 7 Professional on my client.)
>
> "testparm -v" indicates my smb.conf is valid, and I am able to mount
> shares, which is a positive indication the OpenLDAP integration is
> working. I am running OpenLDAP 2.4.15 or higher on all my LDAP servers (I
> think they are all 2.4.19 - 2.4.21).
>
> DNS is static, with none of the normal ADS entries. Only the DHCP server
> is allowed to modify DNS (and only the forward map allows updates, since
> DHCP updates of the reverse in-addr.arpa maps were problematic). To
> assist with finding the domain controller, I added the following to
> C:\Windows\System32\Drivers\etc\lmhosts:
> 192.168.15.2 tardis #PRE #DOM:N2HA
> (Thus my attempts to join the domain appear successful, with the documented
> warnings about the domain suffix. Unfortunately, appearances are deceiving
> when I actually try to login using a domain account.)
>
> Attached are entries from my smbd.log and C:\Windows\debug\NetSetup.log and
> smb.conf.
>
> Any assistance or guidance would be greatly appreciated.
>
> log.smbd
> ========
> [2010/01/14 03:31:38, 0]
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client BAST machine account BAST$
> [2010/01/14 03:31:38, 0]
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client BAST machine account BAST$
> [2010/01/14 03:31:48, 0] lib/util_sock.c:539(read_fd_with_timeout)
> [2010/01/14 03:31:48, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
> [2010/01/14 03:33:17, 0]
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client BAST machine account BAST$
> [2010/01/14 03:33:17, 0]
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client BAST machine account BAST$
> [2010/01/14 03:33:30, 0] lib/util_sock.c:539(read_fd_with_timeout)
> [2010/01/14 03:33:30, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
> [2010/01/14 03:34:18, 0] lib/util_sock.c:539(read_fd_with_timeout)
> [2010/01/14 03:34:18, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
>
>
> C:\Windows\debug\NetSetup.log
> =============================
> 01/13/2010 23:36:18:337 NetpJoinDomain: status of connecting to dc
> '\\TARDIS': 0x0
> 01/13/2010 23:36:18:337 NetpProvisionComputerAccount:
> 01/13/2010 23:36:18:337 lpDomain: N2HA
> 01/13/2010 23:36:18:337 lpMachineName: BAST
> 01/13/2010 23:36:18:337 lpMachineAccountOU: (NULL)
> 01/13/2010 23:36:18:337 lpDcName: TARDIS
> 01/13/2010 23:36:18:337 lpDnsHostName: (NULL)
> 01/13/2010 23:36:18:337 lpMachinePassword: (null)
> 01/13/2010 23:36:18:337 lpAccount: N2HA\ntadmin
> 01/13/2010 23:36:18:337 lpPassword: (non-null)
> 01/13/2010 23:36:18:337 dwJoinOptions: 0x25
> 01/13/2010 23:36:18:337 dwOptions: 0x40000003
> 01/13/2010 23:36:18:352 NetpLdapBind: ldap_bind failed on TARDIS: 49:
> Invalid Credentials
> 01/13/2010 23:36:18:426 NetpGetLsaPrimaryDomain: DNS Domain policy not
> supported, falling back to Primary Domain
> 01/13/2010 23:36:18:430 NetpGetLsaPrimaryDomain: status: 0x0
> 01/13/2010 23:36:18:432 NetpCreateComputerObjectInDs: DC passed '\\TARDIS'
> doesn't have writable DS 0x101
> 01/13/2010 23:36:18:432 NetpProvisionComputerAccount: LDAP creation failed:
> 0x32
> 01/13/2010 23:36:18:432 NetpJoinDomainOnDs: Function exits with status of:
> 0x32
> 01/13/2010 23:36:18:434 NetpJoinDomainOnDs: status of disconnecting from
> '\\TARDIS': 0x0
> 01/13/2010 23:36:18:434 NetpDoDomainJoin: status: 0x32
> 01/13/2010 23:36:18:450
> -----------------------------------------------------------------
> 01/13/2010 23:36:18:450 NetpDoDomainJoin
> 01/13/2010 23:36:18:450 NetpMachineValidToJoin: 'BAST'
> 01/13/2010 23:36:18:450 OS Version: 6.1
> 01/13/2010 23:36:18:450 Build number: 7600
> (7600.win7_rtm.090713-1255)
> 01/13/2010 23:36:18:451 SKU: Windows 7 Professional
> 01/13/2010 23:36:18:451 NetpDomainJoinLicensingCheck: ulLicenseValue=1,
> Status: 0x0
> 01/13/2010 23:36:18:452 NetpGetLsaPrimaryDomain: status: 0x0
> 01/13/2010 23:36:18:453 NetpMachineValidToJoin: status: 0x0
> 01/13/2010 23:36:18:453 NetpJoinDomain
> 01/13/2010 23:36:18:453 Machine: BAST
> 01/13/2010 23:36:18:453 Domain: N2HA
> 01/13/2010 23:36:18:453 MachineAccountOU: (NULL)
> 01/13/2010 23:36:18:453 Account: N2HA\ntadmin
> 01/13/2010 23:36:18:453 Options: 0x27
> 01/13/2010 23:36:18:453 NetpLoadParameters: loading registry parameters...
> 01/13/2010 23:36:18:453 NetpLoadParameters: status:
> DNSNameResolutionRequired set to '0'
> 01/13/2010 23:36:18:453 NetpLoadParameters: status: DomainCompatibilityMode
> set to '1'
> 01/13/2010 23:36:18:453 NetpLoadParameters: status: 0x0
> 01/13/2010 23:36:18:453 NetpValidateName: checking to see if 'N2HA' is
> valid as type 3 name
> 01/13/2010 23:36:18:554 NetpCheckDomainNameIsValid [ Exists ] for 'N2HA'
> returned 0x0
> 01/13/2010 23:36:18:554 NetpValidateName: name 'N2HA' is valid for type 3
> 01/13/2010 23:36:18:554 NetpDsGetDcName: trying to find DC in domain
> 'N2HA', flags: 0x1020
> 01/13/2010 23:36:18:755 NetpLoadParameters: loading registry parameters...
> 01/13/2010 23:36:18:755 NetpLoadParameters: status:
> DNSNameResolutionRequired set to '0'
> 01/13/2010 23:36:18:755 NetpLoadParameters: status: DomainCompatibilityMode
> set to '1'
> 01/13/2010 23:36:18:755 NetpLoadParameters: status: 0x0
> 01/13/2010 23:36:18:755 NetpDsGetDcName: found DC '\\TARDIS' in the
> specified domain
> 01/13/2010 23:36:18:755 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
> 01/13/2010 23:36:18:756 NetpJoinDomain: status of connecting to dc
> '\\TARDIS': 0x0
> 01/13/2010 23:36:18:756 NetpProvisionComputerAccount:
> 01/13/2010 23:36:18:756 lpDomain: N2HA
> 01/13/2010 23:36:18:756 lpMachineName: BAST
> 01/13/2010 23:36:18:756 lpMachineAccountOU: (NULL)
> 01/13/2010 23:36:18:756 lpDcName: TARDIS
> 01/13/2010 23:36:18:756 lpDnsHostName: (NULL)
> 01/13/2010 23:36:18:756 lpMachinePassword: (null)
> 01/13/2010 23:36:18:756 lpAccount: N2HA\ntadmin
> 01/13/2010 23:36:18:756 lpPassword: (non-null)
> 01/13/2010 23:36:18:756 dwJoinOptions: 0x27
> 01/13/2010 23:36:18:756 dwOptions: 0x40000003
> 01/13/2010 23:36:18:764 NetpLdapBind: ldap_bind failed on TARDIS: 49:
> Invalid Credentials
> 01/13/2010 23:36:18:773 NetpGetLsaPrimaryDomain: DNS Domain policy not
> supported, falling back to Primary Domain
> 01/13/2010 23:36:18:776 NetpGetLsaPrimaryDomain: status: 0x0
> 01/13/2010 23:36:18:779 NetpCreateComputerObjectInDs: DC passed '\\TARDIS'
> doesn't have writable DS 0x101
> 01/13/2010 23:36:18:779 NetpProvisionComputerAccount: LDAP creation failed:
> 0x32
> 01/13/2010 23:36:18:779 NetpProvisionComputerAccount: Retrying downlevel
> per options
> 01/13/2010 23:36:18:881 NetpManageMachineAccountWithSid: NetUserAdd on
> 'TARDIS' for 'BAST$' failed: 0x8b0
> 01/13/2010 23:36:19:287 NetpManageMachineAccountWithSid: status of
> attempting to set password on 'TARDIS' for 'BAST$': 0x0
> 01/13/2010 23:36:19:287 NetpProvisionComputerAccount: retry status of
> creating account: 0x0
> 01/13/2010 23:36:19:287 NetpEncodeProvisioningBlob: Encoding provisioning
> data
> 01/13/2010 23:36:19:287 NetpInitBlobWin7: Constructing blob...
> 01/13/2010 23:36:19:287 Blob version: 1
>
> smb.conf
> ========
> [global]
> workgroup = N2HA
> realm = INTERNAL.BRIGHT-PROSPECTS.COM
> security = user
> map to guest = Bad User
> usershare allow guests = Yes
>
> server string = %h (Samba %v)
> hosts allow = 192.168.0.0/16
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> smb ports = 445 139
> ;os level = 65
> local master = yes
> domain master = yes
> preferred master = yes
> domain logons = yes
> winbind use default domain = yes
>
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options = raw
>
> name resolve order = wins lmhosts bcast
> wins support = yes
> dns proxy = no
> ea support = yes
> enable asu support = yes
> time server = yes
> deadtime = 10
> max log size = 4096
> hide unreadable = yes
> hide dot files = no
> template shell = /bin/false
> veto oplock files = /*.pst/*.nsf/*.doc/*.xls/*.mdb/
>
> client lanman auth = no
> client ntlmv2 auth = yes
> client plaintext auth = no
> encrypt passwords = yes
> lanman auth = no
> ntlm auth = yes
> null passwords = yes
> server signing = auto
> server schannel = auto
>
> passdb backend =
> ldapsam:ldaps://ldap.internal.bright-prospects.com/ obey pam restrictions
> = no
> ldap ssl = no
> ldap admin dn =
> "uid=ntadmin,ou=System,ou=User,dc=bright-prospects,dc=co
> m"
> ldap suffix = dc=bright-prospects,dc=com
> ldap machine suffix = sambaDomainName=N2HA,ou=Network
> ldap user suffix = ou=People,ou=User
> ldap group suffix = ou=Group
> ldap idmap suffix = ou=IdMap,ou=Network
> ldap passwd sync = yes
> ldap delete dn = no
>
> add user script = /home/admin/bin/smbldap-useradd -m %u
> delete user script = /home/admin/bin/smbldap-userdel %u
> add machine script = /home/admin/bin/smbldap-useradd -w %u
> add group script = /home/admin/bin/smbldap-groupadd -p %g
> #delete group script = /home/admin/bin/smbldap-groupdel %g
> add user to group script = /home/admin/bin/smbldap-groupmod -m %u
> %g delete user from group script = /home/admin/bin/smbldap-groupmod -x %u
> %
> g
> set primary group script = /home/admin/bin/smbldap-usermod -g %g %u
> passwd program = /home/admin/bin/smbldap-passwd %u
>
> vfs objects = extd_audit recycle
> recycle: directory_mode = 0770
> recycle: keeptree = 1
> recycle: touch = 1
> recycle: minsize = 1
> recycle: maxsize = 5000000
> recycle: exclude = *.tmp *.temp ~$* *.obj *.~??
> recycle: exclude_dir = /RealTimeBackup
> ;vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
>
> [homes]
> comment = Home Directories
> ;valid users = %S, %D%w%S
> browseable = No
> read only = No
> inherit acls = Yes
> ;
> locking = no
> hide files = /.*/desktop.ini/thumbs.db/*.bitmap/NTUSER.*/
> hide special files = yes
> path = /home/%S
> [profiles]
> comment = Network Profiles Service
> ;path = %H
> read only = No
> store dos attributes = Yes
> create mask = 0600
> directory mask = 0700
> ;
> hide files = /desktop.ini/thumbs.db/*.bitmap/
> guest ok = yes
> path = /home/profiles
> [users]
> comment = All users
> path = /home
> read only = No
> inherit acls = Yes
> veto files = /aquota.user/groups/shares/
> [groups]
> comment = All groups
> path = /home/groups
> read only = No
> inherit acls = Yes
> [printers]
> comment = All Printers
> path = /var/tmp
> printable = Yes
> create mask = 0600
> browseable = No
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @ntadmin root
> force group = ntadmin
> create mask = 0664
> directory mask = 0775
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: David Whitney on
For what its worth, I've encountered this trust failing issue a couple of
times. These two solutions allowed me to solve it without rejoining the
domain:

* Set RequireStrongKey to 0

This solved a problem with a Win7 box immediately in one instance. Won't
promise that's the *prescribed* setting, just know it solved a problem for
me.

* Resync the time source of the client computer with the same source used by
the DC.

This has worked for me more than once. Again, won't promise to fully
understand why, except to speculate something getting out of sync with
regard to machine password validity date ranges, but all I can say is that I
had this domain trust failure with a box, and after the time resync, the
problem went away.

On Thu, Jan 14, 2010 at 5:03 AM, nf-vale <nf-vale(a)critical-links.com> wrote:

> Make sure that this settings are as follows:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Netlogon\Parameters]
> “RequireSignOrSeal”=dword:00000001
> “RequireStrongKey”=dword:00000001
>
> It helped solve a problem like the one you're having.
>
> On Thursday 14 January 2010 09:27:08 Richard Basch wrote:
> > I have been going through all the Wikis and various Google searches to
> try
> > to solve my problem, all to no avail.
> >
> > I can mount a Samba share, but whenever I try to login using a domain
> > account, I receive an error about "The trust relationship between this
> > workstation and the primary domain failed."
> >
> > What I have done so far, all to no avail.
> > - Upgraded from Samba 3.4.2 to Samba 3.4.4 (under OpenSUSE 11.2)
> > - Edited the registry settings on my Windows 7 client
> > HKLM\System\CCS\Services\LanmanWorkstation\Parameters
> > DWORD DomainCompatibilityMode = 1
> > DWORD DNSNameResolutionRequired = 0
> > (I also tried reducing the security requirements for signing &
> encryption,
> > but have read this is not required with current versions of Samba.)
> >
> > (And, I am running Windows 7 Professional on my client.)
> >
> > "testparm -v" indicates my smb.conf is valid, and I am able to mount
> > shares, which is a positive indication the OpenLDAP integration is
> > working. I am running OpenLDAP 2.4.15 or higher on all my LDAP servers
> (I
> > think they are all 2.4.19 - 2.4.21).
> >
> > DNS is static, with none of the normal ADS entries. Only the DHCP server
> > is allowed to modify DNS (and only the forward map allows updates, since
> > DHCP updates of the reverse in-addr.arpa maps were problematic). To
> > assist with finding the domain controller, I added the following to
> > C:\Windows\System32\Drivers\etc\lmhosts:
> > 192.168.15.2 tardis #PRE #DOM:N2HA
> > (Thus my attempts to join the domain appear successful, with the
> documented
> > warnings about the domain suffix. Unfortunately, appearances are
> deceiving
> > when I actually try to login using a domain account.)
> >
> > Attached are entries from my smbd.log and C:\Windows\debug\NetSetup.log
> and
> > smb.conf.
> >
> > Any assistance or guidance would be greatly appreciated.
> >
> > log.smbd
> > ========
> > [2010/01/14 03:31:38, 0]
> > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> > _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting
> > auth request from client BAST machine account BAST$
> > [2010/01/14 03:31:38, 0]
> > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> > _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting
> > auth request from client BAST machine account BAST$
> > [2010/01/14 03:31:48, 0] lib/util_sock.c:539(read_fd_with_timeout)
> > [2010/01/14 03:31:48, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> > getpeername failed. Error was Transport endpoint is not connected
> > read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> > peer.
> > [2010/01/14 03:33:17, 0]
> > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> > _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting
> > auth request from client BAST machine account BAST$
> > [2010/01/14 03:33:17, 0]
> > rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> > _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting
> > auth request from client BAST machine account BAST$
> > [2010/01/14 03:33:30, 0] lib/util_sock.c:539(read_fd_with_timeout)
> > [2010/01/14 03:33:30, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> > getpeername failed. Error was Transport endpoint is not connected
> > read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> > peer.
> > [2010/01/14 03:34:18, 0] lib/util_sock.c:539(read_fd_with_timeout)
> > [2010/01/14 03:34:18, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> > getpeername failed. Error was Transport endpoint is not connected
> > read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> > peer.
> >
> >
> > C:\Windows\debug\NetSetup.log
> > =============================
> > 01/13/2010 23:36:18:337 NetpJoinDomain: status of connecting to dc
> > '\\TARDIS': 0x0
> > 01/13/2010 23:36:18:337 NetpProvisionComputerAccount:
> > 01/13/2010 23:36:18:337 lpDomain: N2HA
> > 01/13/2010 23:36:18:337 lpMachineName: BAST
> > 01/13/2010 23:36:18:337 lpMachineAccountOU: (NULL)
> > 01/13/2010 23:36:18:337 lpDcName: TARDIS
> > 01/13/2010 23:36:18:337 lpDnsHostName: (NULL)
> > 01/13/2010 23:36:18:337 lpMachinePassword: (null)
> > 01/13/2010 23:36:18:337 lpAccount: N2HA\ntadmin
> > 01/13/2010 23:36:18:337 lpPassword: (non-null)
> > 01/13/2010 23:36:18:337 dwJoinOptions: 0x25
> > 01/13/2010 23:36:18:337 dwOptions: 0x40000003
> > 01/13/2010 23:36:18:352 NetpLdapBind: ldap_bind failed on TARDIS: 49:
> > Invalid Credentials
> > 01/13/2010 23:36:18:426 NetpGetLsaPrimaryDomain: DNS Domain policy not
> > supported, falling back to Primary Domain
> > 01/13/2010 23:36:18:430 NetpGetLsaPrimaryDomain: status: 0x0
> > 01/13/2010 23:36:18:432 NetpCreateComputerObjectInDs: DC passed
> '\\TARDIS'
> > doesn't have writable DS 0x101
> > 01/13/2010 23:36:18:432 NetpProvisionComputerAccount: LDAP creation
> failed:
> > 0x32
> > 01/13/2010 23:36:18:432 NetpJoinDomainOnDs: Function exits with status
> of:
> > 0x32
> > 01/13/2010 23:36:18:434 NetpJoinDomainOnDs: status of disconnecting from
> > '\\TARDIS': 0x0
> > 01/13/2010 23:36:18:434 NetpDoDomainJoin: status: 0x32
> > 01/13/2010 23:36:18:450
> > -----------------------------------------------------------------
> > 01/13/2010 23:36:18:450 NetpDoDomainJoin
> > 01/13/2010 23:36:18:450 NetpMachineValidToJoin: 'BAST'
> > 01/13/2010 23:36:18:450 OS Version: 6.1
> > 01/13/2010 23:36:18:450 Build number: 7600
> > (7600.win7_rtm.090713-1255)
> > 01/13/2010 23:36:18:451 SKU: Windows 7 Professional
> > 01/13/2010 23:36:18:451 NetpDomainJoinLicensingCheck: ulLicenseValue=1,
> > Status: 0x0
> > 01/13/2010 23:36:18:452 NetpGetLsaPrimaryDomain: status: 0x0
> > 01/13/2010 23:36:18:453 NetpMachineValidToJoin: status: 0x0
> > 01/13/2010 23:36:18:453 NetpJoinDomain
> > 01/13/2010 23:36:18:453 Machine: BAST
> > 01/13/2010 23:36:18:453 Domain: N2HA
> > 01/13/2010 23:36:18:453 MachineAccountOU: (NULL)
> > 01/13/2010 23:36:18:453 Account: N2HA\ntadmin
> > 01/13/2010 23:36:18:453 Options: 0x27
> > 01/13/2010 23:36:18:453 NetpLoadParameters: loading registry
> parameters...
> > 01/13/2010 23:36:18:453 NetpLoadParameters: status:
> > DNSNameResolutionRequired set to '0'
> > 01/13/2010 23:36:18:453 NetpLoadParameters: status:
> DomainCompatibilityMode
> > set to '1'
> > 01/13/2010 23:36:18:453 NetpLoadParameters: status: 0x0
> > 01/13/2010 23:36:18:453 NetpValidateName: checking to see if 'N2HA' is
> > valid as type 3 name
> > 01/13/2010 23:36:18:554 NetpCheckDomainNameIsValid [ Exists ] for 'N2HA'
> > returned 0x0
> > 01/13/2010 23:36:18:554 NetpValidateName: name 'N2HA' is valid for type 3
> > 01/13/2010 23:36:18:554 NetpDsGetDcName: trying to find DC in domain
> > 'N2HA', flags: 0x1020
> > 01/13/2010 23:36:18:755 NetpLoadParameters: loading registry
> parameters...
> > 01/13/2010 23:36:18:755 NetpLoadParameters: status:
> > DNSNameResolutionRequired set to '0'
> > 01/13/2010 23:36:18:755 NetpLoadParameters: status:
> DomainCompatibilityMode
> > set to '1'
> > 01/13/2010 23:36:18:755 NetpLoadParameters: status: 0x0
> > 01/13/2010 23:36:18:755 NetpDsGetDcName: found DC '\\TARDIS' in the
> > specified domain
> > 01/13/2010 23:36:18:755 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
> > 01/13/2010 23:36:18:756 NetpJoinDomain: status of connecting to dc
> > '\\TARDIS': 0x0
> > 01/13/2010 23:36:18:756 NetpProvisionComputerAccount:
> > 01/13/2010 23:36:18:756 lpDomain: N2HA
> > 01/13/2010 23:36:18:756 lpMachineName: BAST
> > 01/13/2010 23:36:18:756 lpMachineAccountOU: (NULL)
> > 01/13/2010 23:36:18:756 lpDcName: TARDIS
> > 01/13/2010 23:36:18:756 lpDnsHostName: (NULL)
> > 01/13/2010 23:36:18:756 lpMachinePassword: (null)
> > 01/13/2010 23:36:18:756 lpAccount: N2HA\ntadmin
> > 01/13/2010 23:36:18:756 lpPassword: (non-null)
> > 01/13/2010 23:36:18:756 dwJoinOptions: 0x27
> > 01/13/2010 23:36:18:756 dwOptions: 0x40000003
> > 01/13/2010 23:36:18:764 NetpLdapBind: ldap_bind failed on TARDIS: 49:
> > Invalid Credentials
> > 01/13/2010 23:36:18:773 NetpGetLsaPrimaryDomain: DNS Domain policy not
> > supported, falling back to Primary Domain
> > 01/13/2010 23:36:18:776 NetpGetLsaPrimaryDomain: status: 0x0
> > 01/13/2010 23:36:18:779 NetpCreateComputerObjectInDs: DC passed
> '\\TARDIS'
> > doesn't have writable DS 0x101
> > 01/13/2010 23:36:18:779 NetpProvisionComputerAccount: LDAP creation
> failed:
> > 0x32
> > 01/13/2010 23:36:18:779 NetpProvisionComputerAccount: Retrying downlevel
> > per options
> > 01/13/2010 23:36:18:881 NetpManageMachineAccountWithSid: NetUserAdd on
> > 'TARDIS' for 'BAST$' failed: 0x8b0
> > 01/13/2010 23:36:19:287 NetpManageMachineAccountWithSid: status of
> > attempting to set password on 'TARDIS' for 'BAST$': 0x0
> > 01/13/2010 23:36:19:287 NetpProvisionComputerAccount: retry status of
> > creating account: 0x0
> > 01/13/2010 23:36:19:287 NetpEncodeProvisioningBlob: Encoding provisioning
> > data
> > 01/13/2010 23:36:19:287 NetpInitBlobWin7: Constructing blob...
> > 01/13/2010 23:36:19:287 Blob version: 1
> >
> > smb.conf
> > ========
> > [global]
> > workgroup = N2HA
> > realm = INTERNAL.BRIGHT-PROSPECTS.COM<http://internal.bright-prospects.com/>
> > security = user
> > map to guest = Bad User
> > usershare allow guests = Yes
> >
> > server string = %h (Samba %v)
> > hosts allow = 192.168.0.0/16
> > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> > smb ports = 445 139
> > ;os level = 65
> > local master = yes
> > domain master = yes
> > preferred master = yes
> > domain logons = yes
> > winbind use default domain = yes
> >
> > printing = cups
> > printcap name = cups
> > printcap cache time = 750
> > cups options = raw
> >
> > name resolve order = wins lmhosts bcast
> > wins support = yes
> > dns proxy = no
> > ea support = yes
> > enable asu support = yes
> > time server = yes
> > deadtime = 10
> > max log size = 4096
> > hide unreadable = yes
> > hide dot files = no
> > template shell = /bin/false
> > veto oplock files = /*.pst/*.nsf/*.doc/*.xls/*.mdb/
> >
> > client lanman auth = no
> > client ntlmv2 auth = yes
> > client plaintext auth = no
> > encrypt passwords = yes
> > lanman auth = no
> > ntlm auth = yes
> > null passwords = yes
> > server signing = auto
> > server schannel = auto
> >
> > passdb backend =
> > ldapsam:ldaps://ldap.internal.bright-prospects.com/ obey pam
> restrictions
> > = no
> > ldap ssl = no
> > ldap admin dn =
> > "uid=ntadmin,ou=System,ou=User,dc=bright-prospects,dc=co
> > m"
> > ldap suffix = dc=bright-prospects,dc=com
> > ldap machine suffix = sambaDomainName=N2HA,ou=Network
> > ldap user suffix = ou=People,ou=User
> > ldap group suffix = ou=Group
> > ldap idmap suffix = ou=IdMap,ou=Network
> > ldap passwd sync = yes
> > ldap delete dn = no
> >
> > add user script = /home/admin/bin/smbldap-useradd -m %u
> > delete user script = /home/admin/bin/smbldap-userdel %u
> > add machine script = /home/admin/bin/smbldap-useradd -w %u
> > add group script = /home/admin/bin/smbldap-groupadd -p %g
> > #delete group script = /home/admin/bin/smbldap-groupdel %g
> > add user to group script = /home/admin/bin/smbldap-groupmod -m %u
> > %g delete user from group script = /home/admin/bin/smbldap-groupmod -x
> %u
> > %
> > g
> > set primary group script = /home/admin/bin/smbldap-usermod -g %g
> %u
> > passwd program = /home/admin/bin/smbldap-passwd %u
> >
> > vfs objects = extd_audit recycle
> > recycle: directory_mode = 0770
> > recycle: keeptree = 1
> > recycle: touch = 1
> > recycle: minsize = 1
> > recycle: maxsize = 5000000
> > recycle: exclude = *.tmp *.temp ~$* *.obj *.~??
> > recycle: exclude_dir = /RealTimeBackup
> > ;vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
> >
> > [homes]
> > comment = Home Directories
> > ;valid users = %S, %D%w%S
> > browseable = No
> > read only = No
> > inherit acls = Yes
> > ;
> > locking = no
> > hide files = /.*/desktop.ini/thumbs.db/*.bitmap/NTUSER.*/
> > hide special files = yes
> > path = /home/%S
> > [profiles]
> > comment = Network Profiles Service
> > ;path = %H
> > read only = No
> > store dos attributes = Yes
> > create mask = 0600
> > directory mask = 0700
> > ;
> > hide files = /desktop.ini/thumbs.db/*.bitmap/
> > guest ok = yes
> > path = /home/profiles
> > [users]
> > comment = All users
> > path = /home
> > read only = No
> > inherit acls = Yes
> > veto files = /aquota.user/groups/shares/
> > [groups]
> > comment = All groups
> > path = /home/groups
> > read only = No
> > inherit acls = Yes
> > [printers]
> > comment = All Printers
> > path = /var/tmp
> > printable = Yes
> > create mask = 0600
> > browseable = No
> > [print$]
> > comment = Printer Drivers
> > path = /var/lib/samba/drivers
> > write list = @ntadmin root
> > force group = ntadmin
> > create mask = 0664
> > directory mask = 0775
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Dale Schroeder on
Using 3.4.3, I could not establish a machine trust with either Win7 or
XP. After a lot of searching,
I located an old forum entry that said to add the -i switch to the add
machine parameter. After
doing that one change, adding a system to the domain went as expected.
Perhaps, it will work
for you.

I had not previously seen "-i" used in any howto, but it worked as the
writer said it would.
Using your smb.conf entry:

add machine script = /home/admin/bin/smbldap-useradd -i -w '%u'

Dale


On 01/14/2010 3:27 AM, Richard Basch wrote:
> I have been going through all the Wikis and various Google searches to try
> to solve my problem, all to no avail.
>
> I can mount a Samba share, but whenever I try to login using a domain
> account, I receive an error about "The trust relationship between this
> workstation and the primary domain failed."
>
> What I have done so far, all to no avail.
> - Upgraded from Samba 3.4.2 to Samba 3.4.4 (under OpenSUSE 11.2)
> - Edited the registry settings on my Windows 7 client
> HKLM\System\CCS\Services\LanmanWorkstation\Parameters
> DWORD DomainCompatibilityMode = 1
> DWORD DNSNameResolutionRequired = 0
> (I also tried reducing the security requirements for signing& encryption,
> but have read this is not required with current versions of Samba.)
>
> (And, I am running Windows 7 Professional on my client.)
>
> "testparm -v" indicates my smb.conf is valid, and I am able to mount shares,
> which is a positive indication the OpenLDAP integration is working. I am
> running OpenLDAP 2.4.15 or higher on all my LDAP servers (I think they are
> all 2.4.19 - 2.4.21).
>
> DNS is static, with none of the normal ADS entries. Only the DHCP server is
> allowed to modify DNS (and only the forward map allows updates, since DHCP
> updates of the reverse in-addr.arpa maps were problematic). To assist with
> finding the domain controller, I added the following to
> C:\Windows\System32\Drivers\etc\lmhosts:
> 192.168.15.2 tardis #PRE #DOM:N2HA
> (Thus my attempts to join the domain appear successful, with the documented
> warnings about the domain suffix. Unfortunately, appearances are deceiving
> when I actually try to login using a domain account.)
>
> Attached are entries from my smbd.log and C:\Windows\debug\NetSetup.log and
> smb.conf.
>
> Any assistance or guidance would be greatly appreciated.
>
> log.smbd
> ========
> [2010/01/14 03:31:38, 0]
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client BAST machine account BAST$
> [2010/01/14 03:31:38, 0]
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client BAST machine account BAST$
> [2010/01/14 03:31:48, 0] lib/util_sock.c:539(read_fd_with_timeout)
> [2010/01/14 03:31:48, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
> [2010/01/14 03:33:17, 0]
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client BAST machine account BAST$
> [2010/01/14 03:33:17, 0]
> rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client BAST machine account BAST$
> [2010/01/14 03:33:30, 0] lib/util_sock.c:539(read_fd_with_timeout)
> [2010/01/14 03:33:30, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
> [2010/01/14 03:34:18, 0] lib/util_sock.c:539(read_fd_with_timeout)
> [2010/01/14 03:34:18, 0] lib/util_sock.c:1491(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
>
>
> C:\Windows\debug\NetSetup.log
> =============================
> 01/13/2010 23:36:18:337 NetpJoinDomain: status of connecting to dc
> '\\TARDIS': 0x0
> 01/13/2010 23:36:18:337 NetpProvisionComputerAccount:
> 01/13/2010 23:36:18:337 lpDomain: N2HA
> 01/13/2010 23:36:18:337 lpMachineName: BAST
> 01/13/2010 23:36:18:337 lpMachineAccountOU: (NULL)
> 01/13/2010 23:36:18:337 lpDcName: TARDIS
> 01/13/2010 23:36:18:337 lpDnsHostName: (NULL)
> 01/13/2010 23:36:18:337 lpMachinePassword: (null)
> 01/13/2010 23:36:18:337 lpAccount: N2HA\ntadmin
> 01/13/2010 23:36:18:337 lpPassword: (non-null)
> 01/13/2010 23:36:18:337 dwJoinOptions: 0x25
> 01/13/2010 23:36:18:337 dwOptions: 0x40000003
> 01/13/2010 23:36:18:352 NetpLdapBind: ldap_bind failed on TARDIS: 49:
> Invalid Credentials
> 01/13/2010 23:36:18:426 NetpGetLsaPrimaryDomain: DNS Domain policy not
> supported, falling back to Primary Domain
> 01/13/2010 23:36:18:430 NetpGetLsaPrimaryDomain: status: 0x0
> 01/13/2010 23:36:18:432 NetpCreateComputerObjectInDs: DC passed '\\TARDIS'
> doesn't have writable DS 0x101
> 01/13/2010 23:36:18:432 NetpProvisionComputerAccount: LDAP creation failed:
> 0x32
> 01/13/2010 23:36:18:432 NetpJoinDomainOnDs: Function exits with status of:
> 0x32
> 01/13/2010 23:36:18:434 NetpJoinDomainOnDs: status of disconnecting from
> '\\TARDIS': 0x0
> 01/13/2010 23:36:18:434 NetpDoDomainJoin: status: 0x32
> 01/13/2010 23:36:18:450
> -----------------------------------------------------------------
> 01/13/2010 23:36:18:450 NetpDoDomainJoin
> 01/13/2010 23:36:18:450 NetpMachineValidToJoin: 'BAST'
> 01/13/2010 23:36:18:450 OS Version: 6.1
> 01/13/2010 23:36:18:450 Build number: 7600
> (7600.win7_rtm.090713-1255)
> 01/13/2010 23:36:18:451 SKU: Windows 7 Professional
> 01/13/2010 23:36:18:451 NetpDomainJoinLicensingCheck: ulLicenseValue=1,
> Status: 0x0
> 01/13/2010 23:36:18:452 NetpGetLsaPrimaryDomain: status: 0x0
> 01/13/2010 23:36:18:453 NetpMachineValidToJoin: status: 0x0
> 01/13/2010 23:36:18:453 NetpJoinDomain
> 01/13/2010 23:36:18:453 Machine: BAST
> 01/13/2010 23:36:18:453 Domain: N2HA
> 01/13/2010 23:36:18:453 MachineAccountOU: (NULL)
> 01/13/2010 23:36:18:453 Account: N2HA\ntadmin
> 01/13/2010 23:36:18:453 Options: 0x27
> 01/13/2010 23:36:18:453 NetpLoadParameters: loading registry parameters...
> 01/13/2010 23:36:18:453 NetpLoadParameters: status:
> DNSNameResolutionRequired set to '0'
> 01/13/2010 23:36:18:453 NetpLoadParameters: status: DomainCompatibilityMode
> set to '1'
> 01/13/2010 23:36:18:453 NetpLoadParameters: status: 0x0
> 01/13/2010 23:36:18:453 NetpValidateName: checking to see if 'N2HA' is valid
> as type 3 name
> 01/13/2010 23:36:18:554 NetpCheckDomainNameIsValid [ Exists ] for 'N2HA'
> returned 0x0
> 01/13/2010 23:36:18:554 NetpValidateName: name 'N2HA' is valid for type 3
> 01/13/2010 23:36:18:554 NetpDsGetDcName: trying to find DC in domain 'N2HA',
> flags: 0x1020
> 01/13/2010 23:36:18:755 NetpLoadParameters: loading registry parameters...
> 01/13/2010 23:36:18:755 NetpLoadParameters: status:
> DNSNameResolutionRequired set to '0'
> 01/13/2010 23:36:18:755 NetpLoadParameters: status: DomainCompatibilityMode
> set to '1'
> 01/13/2010 23:36:18:755 NetpLoadParameters: status: 0x0
> 01/13/2010 23:36:18:755 NetpDsGetDcName: found DC '\\TARDIS' in the
> specified domain
> 01/13/2010 23:36:18:755 NetpJoinDomainOnDs: NetpDsGetDcName returned: 0x0
> 01/13/2010 23:36:18:756 NetpJoinDomain: status of connecting to dc
> '\\TARDIS': 0x0
> 01/13/2010 23:36:18:756 NetpProvisionComputerAccount:
> 01/13/2010 23:36:18:756 lpDomain: N2HA
> 01/13/2010 23:36:18:756 lpMachineName: BAST
> 01/13/2010 23:36:18:756 lpMachineAccountOU: (NULL)
> 01/13/2010 23:36:18:756 lpDcName: TARDIS
> 01/13/2010 23:36:18:756 lpDnsHostName: (NULL)
> 01/13/2010 23:36:18:756 lpMachinePassword: (null)
> 01/13/2010 23:36:18:756 lpAccount: N2HA\ntadmin
> 01/13/2010 23:36:18:756 lpPassword: (non-null)
> 01/13/2010 23:36:18:756 dwJoinOptions: 0x27
> 01/13/2010 23:36:18:756 dwOptions: 0x40000003
> 01/13/2010 23:36:18:764 NetpLdapBind: ldap_bind failed on TARDIS: 49:
> Invalid Credentials
> 01/13/2010 23:36:18:773 NetpGetLsaPrimaryDomain: DNS Domain policy not
> supported, falling back to Primary Domain
> 01/13/2010 23:36:18:776 NetpGetLsaPrimaryDomain: status: 0x0
> 01/13/2010 23:36:18:779 NetpCreateComputerObjectInDs: DC passed '\\TARDIS'
> doesn't have writable DS 0x101
> 01/13/2010 23:36:18:779 NetpProvisionComputerAccount: LDAP creation failed:
> 0x32
> 01/13/2010 23:36:18:779 NetpProvisionComputerAccount: Retrying downlevel per
> options
> 01/13/2010 23:36:18:881 NetpManageMachineAccountWithSid: NetUserAdd on
> 'TARDIS' for 'BAST$' failed: 0x8b0
> 01/13/2010 23:36:19:287 NetpManageMachineAccountWithSid: status of
> attempting to set password on 'TARDIS' for 'BAST$': 0x0
> 01/13/2010 23:36:19:287 NetpProvisionComputerAccount: retry status of
> creating account: 0x0
> 01/13/2010 23:36:19:287 NetpEncodeProvisioningBlob: Encoding provisioning
> data
> 01/13/2010 23:36:19:287 NetpInitBlobWin7: Constructing blob...
> 01/13/2010 23:36:19:287 Blob version: 1
>
> smb.conf
> ========
> [global]
> workgroup = N2HA
> realm = INTERNAL.BRIGHT-PROSPECTS.COM
> security = user
> map to guest = Bad User
> usershare allow guests = Yes
>
> server string = %h (Samba %v)
> hosts allow = 192.168.0.0/16
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> smb ports = 445 139
> ;os level = 65
> local master = yes
> domain master = yes
> preferred master = yes
> domain logons = yes
> winbind use default domain = yes
>
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options = raw
>
> name resolve order = wins lmhosts bcast
> wins support = yes
> dns proxy = no
> ea support = yes
> enable asu support = yes
> time server = yes
> deadtime = 10
> max log size = 4096
> hide unreadable = yes
> hide dot files = no
> template shell = /bin/false
> veto oplock files = /*.pst/*.nsf/*.doc/*.xls/*.mdb/
>
> client lanman auth = no
> client ntlmv2 auth = yes
> client plaintext auth = no
> encrypt passwords = yes
> lanman auth = no
> ntlm auth = yes
> null passwords = yes
> server signing = auto
> server schannel = auto
>
> passdb backend = ldapsam:ldaps://ldap.internal.bright-prospects.com/
> obey pam restrictions = no
> ldap ssl = no
> ldap admin dn =
> "uid=ntadmin,ou=System,ou=User,dc=bright-prospects,dc=co
> m"
> ldap suffix = dc=bright-prospects,dc=com
> ldap machine suffix = sambaDomainName=N2HA,ou=Network
> ldap user suffix = ou=People,ou=User
> ldap group suffix = ou=Group
> ldap idmap suffix = ou=IdMap,ou=Network
> ldap passwd sync = yes
> ldap delete dn = no
>
> add user script = /home/admin/bin/smbldap-useradd -m %u
> delete user script = /home/admin/bin/smbldap-userdel %u
> add machine script = /home/admin/bin/smbldap-useradd -w %u
> add group script = /home/admin/bin/smbldap-groupadd -p %g
> #delete group script = /home/admin/bin/smbldap-groupdel %g
> add user to group script = /home/admin/bin/smbldap-groupmod -m %u %g
> delete user from group script = /home/admin/bin/smbldap-groupmod -x
> %u %
> g
> set primary group script = /home/admin/bin/smbldap-usermod -g %g %u
> passwd program = /home/admin/bin/smbldap-passwd %u
>
> vfs objects = extd_audit recycle
> recycle: directory_mode = 0770
> recycle: keeptree = 1
> recycle: touch = 1
> recycle: minsize = 1
> recycle: maxsize = 5000000
> recycle: exclude = *.tmp *.temp ~$* *.obj *.~??
> recycle: exclude_dir = /RealTimeBackup
> ;vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
>
> [homes]
> comment = Home Directories
> ;valid users = %S, %D%w%S
> browseable = No
> read only = No
> inherit acls = Yes
> ;
> locking = no
> hide files = /.*/desktop.ini/thumbs.db/*.bitmap/NTUSER.*/
> hide special files = yes
> path = /home/%S
> [profiles]
> comment = Network Profiles Service
> ;path = %H
> read only = No
> store dos attributes = Yes
> create mask = 0600
> directory mask = 0700
> ;
> hide files = /desktop.ini/thumbs.db/*.bitmap/
> guest ok = yes
> path = /home/profiles
> [users]
> comment = All users
> path = /home
> read only = No
> inherit acls = Yes
> veto files = /aquota.user/groups/shares/
> [groups]
> comment = All groups
> path = /home/groups
> read only = No
> inherit acls = Yes
> [printers]
> comment = All Printers
> path = /var/tmp
> printable = Yes
> create mask = 0600
> browseable = No
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @ntadmin root
> force group = ntadmin
> create mask = 0664
> directory mask = 0775
>
>
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba