Quantcast

The trust relationship between this workstation and the primary domain failed.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

The trust relationship between this workstation and the primary domain failed.

Andrew Spiers
Samba 3.5.6 PDC, Windows 7 client.
A user was unable to log on this morning with this error. The samba
log for the machine is full of:

[2011/02/10 09:09:50.145387,  0]
rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
Rejecting auth request from client CLIENT machine account CLIENT$
[2011/02/10 09:10:18.693306,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2011/02/10 09:10:18.693343,  0] lib/util_sock.c:1432(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2011/02/10 09:10:36.694575,  0] lib/util_sock.c:474(read_fd_with_timeout)
[2011/02/10 09:10:36.694604,  0] lib/util_sock.c:1432(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2011/02/10 09:13:14.855541,  1] smbd/service.c:1070(make_connection_snum)

(Those messages go back as far as April when the user started using
the machine.) I've got a feeling that SambaPwdLastSet isn't getting
updated in our LDAP database.
Removing the client from the domain and rejoining it fixed the problem.

from smb.conf:
[netlogon]
   comment = Network Logon Service
   path = /share/common/netlogon
   guest ok = yes
   writable = no
   share modes = no
   write list = root, administrator

# getfacl /share/common/netlogon
getfacl: Removing leading '/' from absolute path names
# file: share/common/netlogon
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

Does anyone know why this might be? Or what can be done about it?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The trust relationship between this workstation and the primary domain failed.

John Drescher
On Mon, May 23, 2011 at 4:00 AM, Andrew Spiers <[hidden email]> wrote:

> Samba 3.5.6 PDC, Windows 7 client.
> A user was unable to log on this morning with this error. The samba
> log for the machine is full of:
>
> [2011/02/10 09:09:50.145387,  0]
> rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
>  _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client CLIENT machine account CLIENT$
> [2011/02/10 09:10:18.693306,  0] lib/util_sock.c:474(read_fd_with_timeout)
> [2011/02/10 09:10:18.693343,  0] lib/util_sock.c:1432(get_peer_addr_internal)
>  getpeername failed. Error was Transport endpoint is not connected
>  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
> [2011/02/10 09:10:36.694575,  0] lib/util_sock.c:474(read_fd_with_timeout)
> [2011/02/10 09:10:36.694604,  0] lib/util_sock.c:1432(get_peer_addr_internal)
>  getpeername failed. Error was Transport endpoint is not connected
>  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
> [2011/02/10 09:13:14.855541,  1] smbd/service.c:1070(make_connection_snum)
>
> (Those messages go back as far as April when the user started using
> the machine.) I've got a feeling that SambaPwdLastSet isn't getting
> updated in our LDAP database.
> Removing the client from the domain and rejoining it fixed the problem.
>
> from smb.conf:
> [netlogon]
>   comment = Network Logon Service
>   path = /share/common/netlogon
>   guest ok = yes
>   writable = no
>   share modes = no
>   write list = root, administrator
>
> # getfacl /share/common/netlogon
> getfacl: Removing leading '/' from absolute path names
> # file: share/common/netlogon
> # owner: root
> # group: root
> user::rwx
> group::r-x
> other::r-x
>
> Does anyone know why this might be? Or what can be done about it?

I believe you have to disable the machine password from being
automatically changed on the client. The default is every 30 days. I
believe if no user is logged in during the password exchange the
Windows 7 box changes the password but samba does not get the change.

See this thread:
http://samba.2283325.n4.nabble.com/Windows-7-machine-trust-accounts-expiring-td2456812.html

John
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: The trust relationship between this workstation and the primary domain failed.

Andrew Spiers
Thanks John, I had seen references to that, but I was sort of hoping
that we wouldn't have to do that because I saw a warning from
Microsoft indicating that this might be a security risk.

For anyone looking to do this,
http://support.microsoft.com/kb/154501 seems to indicate that you need to set
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
to 1.

I might try and track our SambaPwdLastSet values for a bit longer to
see if any of these are automatically updating.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Loading...