Centos 7 Samba3 to Samba4 Migration "Trust Relation Failed"

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Centos 7 Samba3 to Samba4 Migration "Trust Relation Failed"

Samba - General mailing list
Hi.

I'm testing my migration from my PDC running Centos 5.x Samba3+OpenLDAP.
to  Centos7 Samba4 OpenLDAP 2.4.40

I had move all my settings and the server has all my users, in console I see
all my info.

Now, I connect a test machine that was on the same domain but I'm getting
the bad message went I try to login with a domain user:

'The trust relation between this workstation and the primary domain failed'

This is not good, this domain have about 165 machines.

Part of my log from samba(machinename.log) I get this:

  Returning domain sid for domain MYDOMAIN -> S-1-5-21-805595659-1689854870-
1539857752
[2017/04/18 11:00:57.397034,  2] ../source3/lib/smbldap.c:794(
smbldap_open_connection)
  smbldap_open_connection: connection opened
[2017/04/18 11:00:57.398431,  3] ../source3/lib/smbldap.c:1013(
smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2017/04/18 11:00:57.399420,  2] ../source3/passdb/pdb_ldap.c:
524(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: mbx-c14$
[2017/04/18 11:00:57.403331,  2] ../source3/passdb/pdb_ldap.c:
2310(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 515
[2017/04/18 11:00:57.403539,  3] ../source3/rpc_server/samr/
srv_samr_nt.c:2947(_samr_QueryUserInfo)
  User:[mbx-c14$]
[2017/04/18 11:00:57.403605,  3] ../source3/rpc_server/samr/
srv_samr_nt.c:2947(_samr_QueryUserInfo)
  User:[mbx-c14$]
[2017/04/18 11:00:57.403628,  3] ../source3/rpc_server/samr/
srv_samr_nt.c:2650(get_user_info_18)
  User:[mbx-c14$] 0x80
[2017/04/18 11:00:57.403677,  2] ../libcli/auth/credentials.c:
403(netlogon_creds_server_check_internal)
  credentials check failed
[2017/04/18 11:00:57.403683,  0] ../source3/rpc_server/
netlogon/srv_netlog_nt.c:1007(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client MBX-C14 machine account MBX-C14$
[2017/04/18 11:00:57.404459,  3] ../source3/rpc_server/srv_
pipe.c:1450(api_rpcTNP)
  api_rpcTNP: rpc command: NETR_SERVERREQCHALLENGE
[2017/04/18 11:00:57.405424,  3] ../source3/rpc_server/srv_
pipe.c:1450(api_rpcTNP)
  api_rpcTNP: rpc command: NETR_SERVERAUTHENTICATE3
[2017/04/18 11:00:57.405546,  2] ../source3/rpc_server/samr/
srv_samr_nt.c:4004(_samr_LookupDomain)
  Returning domain sid for domain MUEBLEX -> S-1-5-21-805595659-1689854870-
1539857752
[2017/04/18 11:00:57.406023,  2] ../source3/passdb/pdb_ldap.c:
524(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: mbx-c14$
[2017/04/18 11:00:57.406626,  2] ../source3/passdb/pdb_ldap.c:
2310(init_group_from_ldap)
  init_group_from_ldap: Entry found for group: 515
[2017/04/18 11:00:57.406760,  3] ../source3/rpc_server/samr/
srv_samr_nt.c:2947(_samr_QueryUserInfo)
  User:[mbx-c14$]
[2017/04/18 11:00:57.406802,  3] ../source3/rpc_server/samr/
srv_samr_nt.c:2947(_samr_QueryUserInfo)
  User:[mbx-c14$]
[2017/04/18 11:00:57.406824,  3] ../source3/rpc_server/samr/
srv_samr_nt.c:2650(get_user_info_18)
  User:[mbx-c14$] 0x80
[2017/04/18 11:00:57.406851,  2] ../libcli/auth/credentials.c:
403(netlogon_creds_server_check_internal)
  credentials check failed
[2017/04/18 11:00:57.406856,  0] ../source3/rpc_server/
netlogon/srv_netlog_nt.c:1007(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
auth request from client MBX-C14 machine account MBX-C14$
[2017/04/18 11:01:10.746704,  3] ../source3/smbd/service.c:1148(close_cnum)
  mbx-c14 (ipv4:192.168.2.22:49443) closed connection to service IPC$
[2017/04/18 11:01:10.747766,  3] ../source3/smbd/server_exit.c:
246(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)

Daemons running: smb,nmb,slapd,winbind

I can query my ldap for my machine:

smbldap-usershow mbx-c14$
dn: uid=mbx-c14$,ou=Computers,dc=mydomain,dc=local
objectClass: top,account,posixAccount,sambaSamAccount
cn: mbx-c14$
uid: mbx-c14$
uidNumber: 1570
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaSID: S-1-5-21-805595659-1689854870-1539857752-1516
displayName: MBX-C14$
sambaAcctFlags: [W          ]
sambaNTPassword: 3082999B924FC4A964DCF7AA0EF1BDDA
sambaPwdLastSet: 1488996103


pdbedit -Lv mbx-c14$
No builtin backend found, trying to load plugin
Module 'ldapsam' loaded
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: mbx-c14$
init_group_from_ldap: Entry found for group: 515
Unix username:        mbx-c14$
NT username:          mbx-c14$
Account Flags:        [W          ]
User SID:             S-1-5-21-805595659-1689854870-1539857752-1516
Primary Group SID:    S-1-5-21-805595659-1689854870-1539857752-515
Full Name:            MBX-C14$
Home Directory:
HomeDir Drive:
Logon Script:         mbx-c14_.bat
Profile Path:
Domain:               MYDOMAIN
Account desc:         Computer
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 08 Mar 2017 10:01:43 PST
Password can change:  Wed, 08 Mar 2017 10:01:43 PST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

My samba config file didn't change to much some settings obsolete.

This is my smb,conf:

[global]
        workgroup = MYDOMAIN
        server string = PDC Domain
        netbios name = MYDOMAINPDC
        hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
192.168.30., 192.168.40., 192.168.50.,
        interfaces = enp3s0 lo0
        bind interfaces only = Yes
        hosts deny = 0.0.0.0
        smb ports = 139 445
        remote announce = 192.168.2.255
        lanman auth = Yes
        client lanman auth = Yes
        encrypt passwords = yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        pam password change= Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password*
%nn * passwd:*all*authentication*tokens*updated*successfully*
        unix password sync = Yes
        log level = 3
        log file = /var/log/samba/%m.log
        max log size = 2048
        name resolve order = wins bcast hosts lmhost
        time server = No
        use sendfile = yes
        map hidden = No
        map system = No
        map archive = No
        map read only = No
        store dos attributes = Yes
        Map to Guest = Bad User
        load printers = No
        printcap name =
        cups options =
        show add printer wizard = No
        add user script = /usr/sbin/smbldap-useradd -m %u
        delete user script = /usr/sbin/smbldap-userdel %u
        add group script = /usr/sbin/smbldap-groupadd -p %g
        delete group script = /usr/sbin/smbldap-groupdel %g
        add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
        delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
        set primary group script = /usr/sbin/smbldap-usermod -g %g %u
        add machine script = /usr/sbin/smbldap-useradd -w %u
        ldap ssl = off
        ldap passwd sync = Yes
        ldap suffix = dc=mydomain,dc=local
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap admin dn = cn=Manager,dc=mydomain,dc=local
        logon script =%U.bat
        logon path =
        logon path =
        logon home =
        logon drive =
        username map = /etc/samba/usermap
        preferred master = Yes
        wins support = Yes
        winbind nested groups = Yes
        ea support = Yes
        domain logons = Yes
        domain master = Yes
        local master = Yes
        map acl inherit = Yes
        unix charset = UTF8
        case sensitive = No

[netlogon]
        comment = Network Logon Service
        path = /home/samba/netlogon
        Locking = no

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No

[Public]
        comment = Public Folder
        path = /opt/public
        available = Yes
        browseable = Yes
        public = Yes
        read only = No
        guest ok = Yes
        writeable = yes
        create mode = 0775
        directory mode = 0775
        admin users = root

Any tip I will appreciate, thanks.
 --
LIving the dream...
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Centos 7 Samba3 to Samba4 Migration "Trust Relation Failed"

Samba - General mailing list
Any comment about this issue ?

:-(

On Tue, Apr 18, 2017 at 2:34 PM, Alberto Moreno <[hidden email]> wrote:

>
> Hi.
>
> I'm testing my migration from my PDC running Centos 5.x Samba3+OpenLDAP.
> to  Centos7 Samba4 OpenLDAP 2.4.40
>
> I had move all my settings and the server has all my users, in console I
> see
> all my info.
>
> Now, I connect a test machine that was on the same domain but I'm getting
> the bad message went I try to login with a domain user:
>
> 'The trust relation between this workstation and the primary domain failed'
>
> This is not good, this domain have about 165 machines.
>
> Part of my log from samba(machinename.log) I get this:
>
>   Returning domain sid for domain MYDOMAIN ->
> S-1-5-21-805595659-1689854870-1539857752
> [2017/04/18 11:00:57.397034,  2] ../source3/lib/smbldap.c:794(s
> mbldap_open_connection)
>   smbldap_open_connection: connection opened
> [2017/04/18 11:00:57.398431,  3] ../source3/lib/smbldap.c:1013(
> smbldap_connect_system)
>   ldap_connect_system: successful connection to the LDAP server
> [2017/04/18 11:00:57.399420,  2] ../source3/passdb/pdb_ldap.c:5
> 24(init_sam_from_ldap)
>   init_sam_from_ldap: Entry found for user: mbx-c14$
> [2017/04/18 11:00:57.403331,  2] ../source3/passdb/pdb_ldap.c:2
> 310(init_group_from_ldap)
>   init_group_from_ldap: Entry found for group: 515
> [2017/04/18 11:00:57.403539,  3] ../source3/rpc_server/samr/srv
> _samr_nt.c:2947(_samr_QueryUserInfo)
>   User:[mbx-c14$]
> [2017/04/18 11:00:57.403605,  3] ../source3/rpc_server/samr/srv
> _samr_nt.c:2947(_samr_QueryUserInfo)
>   User:[mbx-c14$]
> [2017/04/18 11:00:57.403628,  3] ../source3/rpc_server/samr/srv
> _samr_nt.c:2650(get_user_info_18)
>   User:[mbx-c14$] 0x80
> [2017/04/18 11:00:57.403677,  2] ../libcli/auth/credentials.c:4
> 03(netlogon_creds_server_check_internal)
>   credentials check failed
> [2017/04/18 11:00:57.403683,  0] ../source3/rpc_server/netlogon
> /srv_netlog_nt.c:1007(_netr_ServerAuthenticate3)
>   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client MBX-C14 machine account MBX-C14$
> [2017/04/18 11:00:57.404459,  3] ../source3/rpc_server/srv_pipe
> .c:1450(api_rpcTNP)
>   api_rpcTNP: rpc command: NETR_SERVERREQCHALLENGE
> [2017/04/18 11:00:57.405424,  3] ../source3/rpc_server/srv_pipe
> .c:1450(api_rpcTNP)
>   api_rpcTNP: rpc command: NETR_SERVERAUTHENTICATE3
> [2017/04/18 11:00:57.405546,  2] ../source3/rpc_server/samr/srv
> _samr_nt.c:4004(_samr_LookupDomain)
>   Returning domain sid for domain MUEBLEX -> S-1-5-21-805595659-1689854870-
> 1539857752
> [2017/04/18 11:00:57.406023,  2] ../source3/passdb/pdb_ldap.c:5
> 24(init_sam_from_ldap)
>   init_sam_from_ldap: Entry found for user: mbx-c14$
> [2017/04/18 11:00:57.406626,  2] ../source3/passdb/pdb_ldap.c:2
> 310(init_group_from_ldap)
>   init_group_from_ldap: Entry found for group: 515
> [2017/04/18 11:00:57.406760,  3] ../source3/rpc_server/samr/srv
> _samr_nt.c:2947(_samr_QueryUserInfo)
>   User:[mbx-c14$]
> [2017/04/18 11:00:57.406802,  3] ../source3/rpc_server/samr/srv
> _samr_nt.c:2947(_samr_QueryUserInfo)
>   User:[mbx-c14$]
> [2017/04/18 11:00:57.406824,  3] ../source3/rpc_server/samr/srv
> _samr_nt.c:2650(get_user_info_18)
>   User:[mbx-c14$] 0x80
> [2017/04/18 11:00:57.406851,  2] ../libcli/auth/credentials.c:4
> 03(netlogon_creds_server_check_internal)
>   credentials check failed
> [2017/04/18 11:00:57.406856,  0] ../source3/rpc_server/netlogon
> /srv_netlog_nt.c:1007(_netr_ServerAuthenticate3)
>   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client MBX-C14 machine account MBX-C14$
> [2017/04/18 11:01:10.746704,  3] ../source3/smbd/service.c:1148
> (close_cnum)
>   mbx-c14 (ipv4:192.168.2.22:49443) closed connection to service IPC$
> [2017/04/18 11:01:10.747766,  3] ../source3/smbd/server_exit.c:
> 246(exit_server_common)
>   Server exit (NT_STATUS_CONNECTION_RESET)
>
> Daemons running: smb,nmb,slapd,winbind
>
> I can query my ldap for my machine:
>
> smbldap-usershow mbx-c14$
> dn: uid=mbx-c14$,ou=Computers,dc=mydomain,dc=local
> objectClass: top,account,posixAccount,sambaSamAccount
> cn: mbx-c14$
> uid: mbx-c14$
> uidNumber: 1570
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
> sambaSID: S-1-5-21-805595659-1689854870-1539857752-1516
> displayName: MBX-C14$
> sambaAcctFlags: [W          ]
> sambaNTPassword: 3082999B924FC4A964DCF7AA0EF1BDDA
> sambaPwdLastSet: 1488996103
>
>
> pdbedit -Lv mbx-c14$
> No builtin backend found, trying to load plugin
> Module 'ldapsam' loaded
> smbldap_search_domain_info: Searching for:[(&(objectClass=
> sambaDomain)(sambaDomainName=MYDOMAIN))]
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> init_sam_from_ldap: Entry found for user: mbx-c14$
> init_group_from_ldap: Entry found for group: 515
> Unix username:        mbx-c14$
> NT username:          mbx-c14$
> Account Flags:        [W          ]
> User SID:             S-1-5-21-805595659-1689854870-1539857752-1516
> Primary Group SID:    S-1-5-21-805595659-1689854870-1539857752-515
> Full Name:            MBX-C14$
> Home Directory:
> HomeDir Drive:
> Logon Script:         mbx-c14_.bat
> Profile Path:
> Domain:               MYDOMAIN
> Account desc:         Computer
> Workstations:
> Munged dial:
> Logon time:           0
> Logoff time:          never
> Kickoff time:         never
> Password last set:    Wed, 08 Mar 2017 10:01:43 PST
> Password can change:  Wed, 08 Mar 2017 10:01:43 PST
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
> My samba config file didn't change to much some settings obsolete.
>
> This is my smb,conf:
>
> [global]
>         workgroup = MYDOMAIN
>         server string = PDC Domain
>         netbios name = MYDOMAINPDC
>         hosts allow = 192.168.2., 192.168.1., 127., 192.168.20.,
> 192.168.30., 192.168.40., 192.168.50.,
>         interfaces = enp3s0 lo0
>         bind interfaces only = Yes
>         hosts deny = 0.0.0.0
>         smb ports = 139 445
>         remote announce = 192.168.2.255
>         lanman auth = Yes
>         client lanman auth = Yes
>         encrypt passwords = yes
>         passdb backend = ldapsam:ldap://127.0.0.1/
>         pam password change= Yes
>         passwd program = /usr/bin/passwd %u
>         passwd chat = *New*UNIX*password* %nn *ReType*new*UNIX*password*
> %nn * passwd:*all*authentication*tokens*updated*successfully*
>         unix password sync = Yes
>         log level = 3
>         log file = /var/log/samba/%m.log
>         max log size = 2048
>         name resolve order = wins bcast hosts lmhost
>         time server = No
>         use sendfile = yes
>         map hidden = No
>         map system = No
>         map archive = No
>         map read only = No
>         store dos attributes = Yes
>         Map to Guest = Bad User
>         load printers = No
>         printcap name =
>         cups options =
>         show add printer wizard = No
>         add user script = /usr/sbin/smbldap-useradd -m %u
>         delete user script = /usr/sbin/smbldap-userdel %u
>         add group script = /usr/sbin/smbldap-groupadd -p %g
>         delete group script = /usr/sbin/smbldap-groupdel %g
>         add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
>         delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
>         set primary group script = /usr/sbin/smbldap-usermod -g %g %u
>         add machine script = /usr/sbin/smbldap-useradd -w %u
>         ldap ssl = off
>         ldap passwd sync = Yes
>         ldap suffix = dc=mydomain,dc=local
>         ldap machine suffix = ou=Computers
>         ldap user suffix = ou=Users
>         ldap group suffix = ou=Groups
>         ldap idmap suffix = ou=Idmap
>         ldap admin dn = cn=Manager,dc=mydomain,dc=local
>         logon script =%U.bat
>         logon path =
>         logon path =
>         logon home =
>         logon drive =
>         username map = /etc/samba/usermap
>         preferred master = Yes
>         wins support = Yes
>         winbind nested groups = Yes
>         ea support = Yes
>         domain logons = Yes
>         domain master = Yes
>         local master = Yes
>         map acl inherit = Yes
>         unix charset = UTF8
>         case sensitive = No
>
> [netlogon]
>         comment = Network Logon Service
>         path = /home/samba/netlogon
>         Locking = no
>
> [homes]
>         comment = Home Directories
>         valid users = %S
>         read only = No
>         browseable = No
>
> [Public]
>         comment = Public Folder
>         path = /opt/public
>         available = Yes
>         browseable = Yes
>         public = Yes
>         read only = No
>         guest ok = Yes
>         writeable = yes
>         create mode = 0775
>         directory mode = 0775
>         admin users = root
>
> Any tip I will appreciate, thanks.
>  --
> LIving the dream...
>



--
LIving the dream...
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...