Windows 7 Pro machines trust relationship fails

Bug #513562 reported by Roger Abrahamsson
50
This bug affects 7 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

Binary package hint: samba

Windows 7 Pro clients, 32 bit. Joined to Samba domain, account handling in openldap. Worked fine for just about one month, then all machines installed on the same day simultaneously failed to login, error message was "the trust relationship between this workstation and the primary domain failed". A check in syslog revealed following from ldap server.
Jan 28 08:54:03 server1 slapd[1497]: conn=2365 op=2 do_search: invalid dn (sambaDomainName=,sambaDomainName=DOMAIN,dc=domain,dc=local)

sambaDomainName=DOMAIN,dc=domain,dc=local exists, but sambaDomainName=,sambaDomainName=DOMAIn,dc=domain,dc=local does not and cannot do either in LDAP if I understand things correctly.
Temporary solution is to drop machines from domain and rejoin, and they work, but not ideal at all.

ProblemType: Bug
Architecture: amd64
Date: Thu Jan 28 10:06:28 2010
DistroRelease: Ubuntu 9.10
Package: samba 2:3.4.0-3ubuntu5.3
ProcEnviron:
 LANG=en_AU.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-16.53-server
SourcePackage: samba
Uname: Linux 2.6.31-16-server x86_64

Revision history for this message
Roger Abrahamsson (roger-gnyrf) wrote :
Revision history for this message
Chuck Short (zulcss) wrote :

Can you attach your smb.conf and /var/log/samba/log.smbd and /var/log/samba/log.nmbd please?

Thanks
chuck

Changed in samba (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Roger Abrahamsson (roger-gnyrf) wrote :

Ok, attaching log file from nmbd, smbd log file for the computer having problems logging in, excepts from syslog, smb.conf and part of slapd database in ldif format.

Revision history for this message
Chuck Short (zulcss) wrote :

Thanks for the information.Which version of samba are you using?

Regards
chuck

Changed in samba (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Thierry Carrez (ttx) wrote :

Looking at the description, he is using 3.4.0-3ubuntu5.3.

Revision history for this message
Martin Ewing (martin-s-ewing) wrote :

I am running 3.4.0-3ubuntu5.6 as a PDC on Karmic and seeing much the same problem with my Windows 7 Pro 64 client. My client loses trust relationship every 30 days like clockwork, but can be restored manually. I will attach my smb.conf and client log. Let me know if I should provide more.

Revision history for this message
Jonathan Heard (jon-launchpad-jeh) wrote :

I am seeing the same problem..... I introduced a Win7 Pro (Retail) client to the domain during January 2010, then sometime late in February, the client lost its trust relationship. So I rejoined it to the domain, and again today, the user has complained that the Trust Relationship is lost. All other Domain members are running Vista Business and do not experience this problem.

I've attached smb.conf, log.nmbd (only mentions a Win7 Pro [OEM] Client called 'ANDREW-PC', which was joined about two weeks ago), log.smbd and also log.win7pro32-pc which shows the actual denial of access.

There are now three win7 pro clients on this domain and I'm anticipating that the new ones will loose their trust relationship sometime too! Fixing the problem remotely is a pain as I have to get a user to log in to a local admin account and enable remote access for me.

Samba data store is "passdb backend = tdbsam".

To rejoin the domain I do:
1) Logon as local administrator.
2) pdbedit -x [MACHINE_NAME]$
3) Use Windows Network Identity Wizard to Join the domain "Total", keeping Computer Name the same.

I am willing to alter my configuration or test any proposed fixes for this problem, and I'm happy to provide further logs or debug if required.

Revision history for this message
Jonathan Heard (jon-launchpad-jeh) wrote :

Oh and Samba version is:
# smbstatus -V
Version 3.4.0

# dpkg --list | grep samba
ii egroupware-sambaadmin 1.6.001+dfsg-2 web-based groupware suite - Samba administra
ii samba 2:3.4.0-3ubuntu5.6 SMB/CIFS file, print, and login server for U
ii samba-common 2:3.4.0-3ubuntu5.6 common files used by both the Samba server a
ii samba-common-bin 2:3.4.0-3ubuntu5.6 common files used by both the Samba server a
ii samba-doc 2:3.4.0-3ubuntu5.6 Samba documentation

Ubuntu release is Karmic (9.10) - Live-Upgraded from Jaunty.

Revision history for this message
Michele Azzolari (macno) wrote :

Don't know if it will work, but today I remove the windows 7 from the domain, changed the HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange to 1, rejoined the domain.
We will see in 30 days..

Revision history for this message
Jonathan Heard (jon-launchpad-jeh) wrote :

BUMP! This is becoming a real Pain in the backside now.. The more Windows 7 Clients I add the more times each month I'm disturbed to rejoin machines to the Domain after they've lost their trust relationship.

Can anyone shed any light on this problem??? Either an explanation of why it happens, how to prevent it, or whether upgrading to Ubuntu 10.04LTS will make any odds.

Many thanks in advance to anyone who can help.

Revision history for this message
Rait Tammik (irxuke) wrote :

previous comment by macno is the best guess to prevent it. as you can see, it was posted roughly 29 days ago so wait a few days, hopefully he/she will report back and we all will be wiser.

Revision history for this message
Nic (nicolas-hesler) wrote :

Why not change the HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge to 1 or 2 and see what happens with DisablePasswordChange changed to 1? I can't test right now. Anyone else care to?

Revision history for this message
Michele Azzolari (macno) wrote :

Today, 30 days after the change, user logged in without any problem.
I'll give you another feedback on Monday

Michele

Revision history for this message
Michele Azzolari (macno) wrote :

I confirm that workaround used in #9 works.

Revision history for this message
Myles Braithwaite (myles-braithwaite) wrote :

The issue seems to be that the workstation user accounts change their passwords every 30 days. Take a look at one of my workstations log files:

[2010/06/24 09:43:25, 1] auth/auth_util.c:577(make_server_info_sam)
  User WORKSTATION29$ in passdb, but getpwnam() fails!
[2010/06/24 09:43:25, 0] auth/auth_sam.c:355(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.