I have installed a Zentyal 2.0 machine as Primary Domain Controller and have since upgraded it to Zentyal 2.2.
Windows 7 clients can be joined to the domain, but apparently later the machine account fails to authenticate at login. Windows 7 login will take 2-3 minutes to login and will appear to succeed, though roaming profiles and redirected folders may or may not fail to load. Once the computer is logged in, users can access shares normally.
I can easily reproduce the problem by setting up a new Zentyal 2.2 Server (Installing only File Sharing, DNS, DHCP, and dependencies) and Windows 7 client in Virtualbox.
WHEN JOINING the Windows 7 client to the domain, Windows logs Event ID 3210: "This computer could not authenticate with \\ZENTYAL, a Windows domain controller for domain RTK2, and therefore this computer might deny logon requests..."
/var/log/samba/win7 contains the following:
[2012/03/02 15:59:10, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client WIN7X86-VB machine account WIN7X86-VB$
[2012/03/02 15:59:50, 0] lib/util_sock.c:539(read_fd_with_timeout)
[2012/03/02 15:59:50, 0] lib/util_sock.c:1491(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
DURING LOGIN, Event ID 5719: "This computer was not able to set up a secure session with a domain controller in domain RTK2 due to the following:
There are currently no logon servers available to service the logon request..."
This error is logged even when logging in with a non-domain (i.e. local windows) user account.
/var/log/samba/win7 contains the following:
[2012/02/29 10:10:51, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client WIN7 machine account WIN7$
[2012/02/29 10:11:32, 0] lib/util_sock.c:539(read_fd_with_timeout)
[2012/02/29 10:11:32, 0] lib/util_sock.c:1491(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
I have disabled all firewalls.
I have applied the Windows 7 Registry patches as instructed at
https://wiki.samba.org/index.php/Windows7 HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
NTP is synchronizing time so that Zentyal and Windows 7 are the same time.
I suspected some problems with DNS, so I switched to using a known good DNS/DHCP server, and the error messages remained the same.
Is "rtk2" an acceptable domain name? Or do I need to use a FQDN such as "rtk2.localdomain"?
I've seen this same problem beginning with Zentyal 2.0 & Windows 7 RTM in May 2011 and continuing through Zentyal 2.2.5 and Windows 7 SP1 today.
Windows XP domain logins work fine.
Are you able to join Windows 7 machines to a Zentyal domain without errors?
Are you using Zentyal's DHCP/DNS services or something else?
Topic: Windows 7 machines fail to authenticate to the Samba domain (Read 9879 times)