Samba AD - Trust Relationship error.

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba AD - Trust Relationship error.

Samba - General mailing list
Hello all,

I am not really new to samba but I am new to running a samba AD and AD
in general. I have a client that I will be changing over to a new server
running samba 4.6.7 and running as an AD. I did a test run on the new
server connected to the workstations and on one workstation I ran into
this error message:

"The security database on the server does not have a computer account
for this workstation trust relationship"

I know that in Windows its pretty easy to solve by using the SBS
Standard console. However, How would one fix this issue that I assume
would be done with samba-tools somehow? Perhaps anyone can guide me to a
resource discussing this? Im not looking for a step-by-step hand hold
session here. Just basic info on where to start looking and the basics.

This is one of about 13 workstations and was the only one that
experienced this issue.

Appreciate the feedback in advance,

jdegraw


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD - Trust Relationship error.

Samba - General mailing list
On Tue, 28 Nov 2017 12:24:55 -0500
subscriptions via samba <[hidden email]> wrote:

> Hello all,
>
> I am not really new to samba but I am new to running a samba AD and
> AD in general. I have a client that I will be changing over to a new
> server running samba 4.6.7 and running as an AD. I did a test run on
> the new server connected to the workstations and on one workstation I
> ran into this error message:
>
> "The security database on the server does not have a computer account
> for this workstation trust relationship"
>
> I know that in Windows its pretty easy to solve by using the SBS
> Standard console. However, How would one fix this issue that I assume
> would be done with samba-tools somehow? Perhaps anyone can guide me
> to a resource discussing this? Im not looking for a step-by-step hand
> hold session here. Just basic info on where to start looking and the
> basics.
>
> This is one of about 13 workstations and was the only one that
> experienced this issue.
>
> Appreciate the feedback in advance,
>
> jdegraw
>
>

Sounds like a dns problem, can you share a bit more info on how you
have set up your Samba AD domain, It will also help if you post your
smb.conf.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD - Trust Relationship error.

Samba - General mailing list
On Tue, 28 Nov 2017 13:23:11 -0500
subscriptions <[hidden email]> wrote:

> On 11/28/2017 01:02 PM, Rowland Penny via samba wrote:
> > On Tue, 28 Nov 2017 12:24:55 -0500
> > subscriptions via samba<[hidden email]>  wrote:
> >
> >> Hello all,
> >>
> >> I am not really new to samba but I am new to running a samba AD and
> >> AD in general. I have a client that I will be changing over to a
> >> new server running samba 4.6.7 and running as an AD. I did a test
> >> run on the new server connected to the workstations and on one
> >> workstation I ran into this error message:
> >>
> >> "The security database on the server does not have a computer
> >> account for this workstation trust relationship"
> >>
> >> I know that in Windows its pretty easy to solve by using the SBS
> >> Standard console. However, How would one fix this issue that I
> >> assume would be done with samba-tools somehow? Perhaps anyone can
> >> guide me to a resource discussing this? Im not looking for a
> >> step-by-step hand hold session here. Just basic info on where to
> >> start looking and the basics.
> >>
> >> This is one of about 13 workstations and was the only one that
> >> experienced this issue.
> >>
> >> Appreciate the feedback in advance,
> >>
> >> jdegraw
> >>
> >>
> > Sounds like a dns problem, can you share a bit more info on how you
> > have set up your Samba AD domain, It will also help if you post your
> > smb.conf.
> >
> > Rowland
> >
> Hello Rowland,
>
>
> Here is my smb.conf file. I compiled it myself from samba.org and
> followed their instructions for setup of the AD. Everything else
> seems to work out as far as I can tell for now. This will be
> replacing a SBS 2011 server.
>
> My initial thought was that there must be some
>
> Im using the internal DNS on samba as this is just about 13
> workstations.
>
>
> Centos7.4
>
> Samba 4.6.7
>
> # Global parameters
> [global]
>      netbios name = SD2
>      realm = SD.LOCAL

I take it you missed the warning about using '.local' as the TLD,
either re-provision Samba with a different TLD or remove avahi if it is
installed.

>      workgroup = SD
>      dns forwarder = 75.75.75.75
>      server role = active directory domain controller
>      idmap_ldb:use rfc2307 = yes
>
> # Lets allow windows permissions on shares -NOT NEEDED BUT SAVED
> # vfs objects = acl_xattr
> # map acl inherit = yes
> # store dos attributes = yes

'NOT NEEDED' is an understatement, 'DEFINITELY SHOULDN'T BE IN A DC
SMB.CONF' is nearer the point ;-)

>
> [netlogon]
>      path = /usr/local/samba/var/locks/sysvol/sd.local/scripts
>      read only = No
>
> [sysvol]
>      path = /usr/local/samba/var/locks/sysvol
>      read only = No
>
> [DATA]
> path = /mnt/data
> readonly = no
>
> [MIGRATE]
> path = /opt/icewarp
> readonly = no

'readonly' should be 'read only'

Do the clients use the DC as their nameserver ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD - Trust Relationship error.

Samba - General mailing list
On Wed, 29 Nov 2017 08:58:54 -0500
subscriptions <[hidden email]> wrote:

> On 11/28/2017 01:55 PM, Rowland Penny via samba wrote:
> > .local' as the TLD
>
> I have been thinking of this issue. I did turn off Avahi for the time
> being but have been thinking about this all night. My situation is
> that I will be migrating a SBS Exchange server to Icewarp - take the
> place of exchange. I have already setup the new server and have done
> the migration but its not live yet. Eventually I will be moving the
> companies current email from a third party provider to the local
> server as the quota limit is being constantly hit. So, I have to make
> a decision on this.
>
> If I reconfigure the new server with the current registered domain
> name pointed to the email host then they could have dns issues and
> not be able to get their email until I move the new server into
> production.
>
> I could just register a new domain name and reconfigure the server
> for that. However, I am afraid I might run into issues on the
> workstations being able to pull up their current desktops and may
> lead to a full blown backup and restore of their files and other
> issues.
>
> I could (you do not recommend of course) leave the current local
> network domain name alone work out some sort of email transfer to the
> local domain. I see this as not the right approach and probably be a
> lot more work than just correcting the current issue.
>
> My original plan was to just migrate all exchange email to the new
> server and get them up and running as soon as possible and then work
> on taking over the email role that their third party email host does.
> However, I guess its like opening up a can of worms. The more I dig
> into this issue the more I find wrong.
>
> I took over administering this client about a year ago and have been
> planning this change over for some time. I always had this as a long
> term goal as I have had to learn a lot and still am.
>
> Im thinking right now of just registering a new domain name and
> reconfiguring for it. Then re-migrate the exchange data. Then when I
> am more comfortable I can make the switch from the third party email
> host to the local server.
>
> I know my questions are not actually related to samba right now but I
> wanted to ask your opinion because of your expertise.
>
> Thanx,
>
> jdegraw
>

If you are setting up a new AD domain and have a registered dns domain,
then use a subdomain for AD i.e. if you own 'example.com', use
'ad.example.com' for AD.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba