[Pkg-samba-maint] Bug#550043: samba: Windows 7 the trust relationship between this workstation and the primary domain failed

Robin Edgar robinedgar at gmail.com
Wed Oct 7 09:31:05 UTC 2009 

Package: samba
Version: 2:3.2.5-4lenny6
Severity: important

When adding a Windows 7 machine to a Samba PDC, using the following registry entries the machine account is created in /etc/passwd and in the samba database (pdbedit -L finds it, with a password):

HKLM\System\CCS\Services\LanmanWorkstation\Parameters 
DWORD  DomainCompatibilityMode = 1 
DWORD  DNSNameResolutionRequired = 0 

HKLM\System\CCS\Services\Netlogon\Parameters 
DWORD  RequireSignOnSeal = 0 
DWORD  RequireStrongKey = 0

The Windows 7 PC gives a DNS extension error, but joins the domain succesfully.
After reboot of the PC, you have to wait a bit before the domain controller can be found to validate the password, but then comes up with the following error:

"the trust relationship between this workstation and the primary domain failed" 

and won't allow a logon.

The PC event viewer gives the following System -> Netlogon error:

This computer could not authenticate with \\DOMAIN, a Windows domain controller for domain DOMAIN, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

[2009/10/07 10:19:03,  2] rpc_server/srv_samr_nt.c:_samr_LookupDomain(3490)
  Returning domain sid for domain DOMAIN -> S-1-5-21-649339501-1567589259-2286301166
[2009/10/07 10:19:04,  2] lib/access.c:check_access(406)
  Allowed connection from ::ffff:192.168.0.39 (::ffff:192.168.0.39)
[2009/10/07 10:19:04,  2] libsmb/credentials.c:netlogon_creds_server_check(223)
  netlogon_creds_server_check: credentials check failed.
[2009/10/07 10:19:04,  0] rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(520)
  _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client MACHINE machine account MACHINE$
[2009/10/07 10:19:19,  0] lib/util_sock.c:read_socket_with_timeout(939)
[2009/10/07 10:19:19,  0] lib/util_sock.c:get_peer_addr_internal(1676)
  getpeername failed. Error was Transport endpoint is not connected
  read_socket_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2009/10/07 10:30:47,  2] lib/access.c:check_access(406)
  Allowed connection from UNKNOWN (::ffff:192.168.0.39)
[2009/10/07 10:30:47,  2] libsmb/credentials.c:netlogon_creds_server_check(223)
  netlogon_creds_server_check: credentials check failed.
[2009/10/07 10:30:47,  0] rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(520)

Logging in as a normal user into the workgroup DOMAIN allows file sharing to work fine.

-- System Information:
Debian Release: 5.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages samba depends on:
ii  adduser         3.110                    add and remove users and groups
ii  debconf [debcon 1.5.24                   Debian configuration management sy
ii  libacl1         2.2.47-2                 Access control list shared library
ii  libattr1        1:2.4.43-2               Extended attribute shared library
ii  libc6           2.7-18                   GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libcups2        1.3.8-1+lenny6           Common UNIX Printing System(tm) - 
ii  libgnutls26     2.4.2-6+lenny1           the GNU TLS library - runtime libr
ii  libkrb53        1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii  libldap-2.4-2   2.4.11-1                 OpenLDAP libraries
ii  libpam-modules  1.0.1-5+lenny1           Pluggable Authentication Modules f
ii  libpam-runtime  1.0.1-5+lenny1           Runtime support for the PAM librar
ii  libpam0g        1.0.1-5+lenny1           Pluggable Authentication Modules l
ii  libpopt0        1.14-4                   lib for parsing cmdline parameters
ii  libtalloc1      1.2.0~git20080616-1      hierarchical pool based memory all
ii  libwbclient0    2:3.2.5-4lenny6          client library for interfacing wit
ii  logrotate       3.7.1-5                  Log rotation utility
ii  lsb-base        3.2-20                   Linux Standard Base 3.2 init scrip
ii  procps          1:3.2.7-11               /proc file system utilities
ii  samba-common    2:3.2.5-4lenny6          Samba common files used by both th
ii  update-inetd    4.31                     inetd configuration file updater
ii  zlib1g          1:1.2.3.3.dfsg-12        compression library - runtime

samba recommends no packages.

Versions of packages samba suggests:
pn  ldb-tools                   <none>       (no description available)
ii  openbsd-inetd [inet-superse 0.20080125-2 The OpenBSD Internet Superserver
pn  smbldap-tools               <none>       (no description available)

-- debconf information:
  samba/run_mode: daemons
  samba/generate_smbpasswd: true

More information about the Pkg-samba-maint mailing list