Author Topic: samba: Windows 7 the trust relationship between this workstation and the primary  (Read 15540 times)

durale

  • Zen Apprentice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Hi,

I m experiencing a problem with creating a domain and getting connected my windows 7 stations.


The Windows 7 PC gives a DNS extension error, but joins the domain succesfully.
I get the following error when an user attempt to logon:

lib/util_sock.c:read_socket_with_timeout(939)
 lib/util_sock.c:get_peer_addr_internal(1676)
getpeername failed. Error was Transport endpoint is not connected
read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
netlogon_creds_server_check: credentials check failed.


I changed the workstation's registry with the file found on your website with these value:

Windows Registry Editor Version 5.00



[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]

"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000

Do i need to turn this keys to 0 ?:

HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters
DWORD  RequireStrongKey = 1
DWORD  RequireSignOrSeal = 1

What do I need to do or chaneg in the config, what esle could be wrong?

samba version is 3.4.3

thanks in advance for your support
regards,

alex

philmills

  • Zen Warrior
  • ***
  • Posts: 161
  • Karma: +8/-0
    • View Profile
I'm having the same issue - any ideas anyone?
I already ran the Windows 7 registry fix for this...

J. A. Calvo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1986
  • Karma: +67/-3
    • View Profile
    • http://blogs.zentyal.org/jacalvo
You can try to upgrade to the new samba 3.4.5, it hasn't been tested enough, but you can help us. It is already in our 1.3 repository.
Zentyal Server Lead Developer

durale

  • Zen Apprentice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Hi,

Thank you for your advise but it should also work with the version 3.4.3 as other people did.

I read the release note of 3.4.5 and they don t say anything about fixing a bug related to this issue.
Also assuming I upgrade to 3.4.5, the prompt will ask for overwritting the ebox smb file with the newest one, should I overwrite it with the newest version coming from the package?

regards,

alex

J. A. Calvo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1986
  • Karma: +67/-3
    • View Profile
    • http://blogs.zentyal.org/jacalvo
eBox overwrites the smb.conf, it doesn't matter if you overwrite it or not, when a "/etc/init.d/ebox samba restart" is executed or you save changes on the interface, it will get overwritten again.
Zentyal Server Lead Developer

durale

  • Zen Apprentice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
I made the upgrade but still the same problem iusing the latest samba package version 3.4.5:

Could be related to the machine not added properly to ldap ?

rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client FGOURION-PC machine account FGOURION-PC$
[2010/01/27 20:39:48,  0] lib/util_sock.c:539(read_fd_with_timeout)
[2010/01/27 20:39:48,  0] lib/util_sock.c:1491(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2010/01/27 20:39:51,  1] smbd/service.c:1047(make_connection_snum)
  fgourion-pc (10.45.100.25) connect to service profiles initially as user fgourion (uid=2004, gid=1901) (pid 1496)
[2010/01/27 20:39:51,  1] smbd/service.c:1047(make_connection_snum)
  fgourion-pc (10.45.100.25) connect to service netlogon initially as user fgourion (uid=2004, gid=1901) (pid 1496)
[2010/01/27 20:39:52,  1] smbd/service.c:1047(make_connection_snum)
  fgourion-pc (10.45.100.25) connect to service fgourion initially as user fgourion (uid=2004, gid=1901) (pid 1496)
[2010/01/27 20:40:06,  1] smbd/service.c:1226(close_cnum)
  fgourion-pc (10.45.100.25) closed connection to service profiles
[2010/01/27 20:40:06,  1] smbd/service.c:1226(close_cnum)
  fgourion-pc (10.45.100.25) closed connection to service fgourion
[2010/01/27 20:40:06,  1] smbd/service.c:1226(close_cnum)
  fgourion-pc (10.45.100.25) closed connection to service netlogon
[2010/01/27 20:40:36,  0] lib/util_sock.c:539(read_fd_with_timeout)
[2010/01/27 20:40:36,  0] lib/util_sock.c:1491(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.









J. A. Calvo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1986
  • Karma: +67/-3
    • View Profile
    • http://blogs.zentyal.org/jacalvo
You can try to see if the machine is added with the "smbldap-userlist" command.

If it is added, you can remove it with "smbldap-userdel MACHINENAME$", then you can try to join it again into the domain.
Zentyal Server Lead Developer

durale

  • Zen Apprentice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Ok here is the output result:

smbldap-userlist
uid  |username             

2001 |gbavard             
2002 |admin               
2003 |gbavard-pc$         
2004 |fgourion             
2005 |jwaknine             
2006 |fgourion-pc$         
2007 |dmoyal               
2008 |jwaknine-pc$         

The PCs are listed !
I will try to delete them and add them again but what is your thoughts behind this deletion?

Could it be a dns resolution problem , suffix or something like that? I m wondering if windows 7 attempts to lookup the domain name and can t find it for some reason

Do I need to install enable DHCP/DNS server on the ebox-platform?
is there any other troubleshooting I can make to get it work?

regards,

Alex

durale

  • Zen Apprentice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Hi I did what you suggested deleted the machines and added again. I seems to be going better, I m not seeing the message but still can t get access to shares and the network driver doesn t come up.

samba version is 3.4.5 and ebox engine 1.2.6. Perhaps there is an incompatibility between lastest samba version and ebox 1.2.6. I can t write (save) any file on the shares or home user share  m getting this error message from W7 client "Not enought space"

Also When I issue the command pdbedit -vL I see the users and machine connected to the domain logon and logoff fields keep set to "never" whereas the users had logon and logoff and I could see them on ebox control panel.

It looks like the system permitts logon even if machine authentication fails. The NT_STATUS_ACCESS_DENNIED is repeated many times.

Perhaps it a bug between ebox 1.2.6 and the newest samba version 3.4.5. Should I upgrade to ebox 1.3 ?
Don t know what to do now I m really stuck.

any input will be much appreciated.

regards,

alex

J. A. Calvo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1986
  • Karma: +67/-3
    • View Profile
    • http://blogs.zentyal.org/jacalvo
Perhaps it a bug between ebox 1.2.6 and the newest samba version 3.4.5. Should I upgrade to ebox 1.3 ?

You can try to upgrade to 1.4-rc1, but if your machine is in production do it carefully, I suggest you to install it on a different machine first to see if it solves your problem instead of replacing 1.2 directly.
Zentyal Server Lead Developer

durale

  • Zen Apprentice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
It s meant to be  production server which has not yet been in production because of tyhis problem!!

I m quite sceptical about upgrading straight forward to 1.4RC1 to solve the problem.  Let s say I upgrade it to 1.3 first and then to 1.4,  Would I be able to rollback to 1.2.6 afterwise.

Why do you think 1.4RC1 should fix my problem? Is 1.3 or 1.4 supported by EBOX developpers in terms of service contract?

Reagards

Alex

durale

  • Zen Apprentice
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
can i upgrade from 1.2 to 1.4?

here is what I read on your website : http://trac.ebox-platform.com/wiki/Document/Announcement/1.3_Development_Series

Upgrading from 1.2 to 1.3 is not supported. We recommend to install 1.3 from scratch in a new machine for testing purposes.

regarsd

alex

J. A. Calvo

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1986
  • Karma: +67/-3
    • View Profile
    • http://blogs.zentyal.org/jacalvo
Why do you think 1.4RC1 should fix my problem? Is 1.3 or 1.4 supported by EBOX developpers in terms of service contract?

If you want direct professional support from the eBox developers: Yes, we have it:

http://www.ebox-technologies.com/services/support/
Zentyal Server Lead Developer

obitori

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
I've installed Ebox 1.4 with smbd 3.4.5.  I cannot get my Windows 7 Pro clients to join my Samba PDC domain (BEACH).  I've synced my windows box to the same NTP server.  I added the DNS keys

I followed these instructions:

http://trac.ebox-platform.com/wiki/Document/HowTo/Windows7Support

I also tried changing netlogon keys for RequireSignOrSeal and RequireStrongKey to false ("0").

Finally, I changed the SECPOL.MSC Local Policies/Security Options/Network Security/LAN Manager authentication level to Send LM & NTLM - Use NTLM2 Session Security if Negotiated.

Still, I get the domain trust error and can't log onto the Samba PDC.  My ebox settings are correct.

Any ideas?

Thanks,

Obitori

chivar

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Hello I'm having a problem with regards to the account it says
"The trust relationship between this workstation and primary domain failed."