joop gerritse's picture

Hello, *

we have a server (Debian) running Samba version 3.6.6 serving about twenty workstations running Windows 7.
All of a sudden, all users are unable to log in, with the message "The trust relationship between this workstation and the primary domain failed."
Some googling shows that the problem is not unknown, and the usual solution seems to be to remove it from the domain, set it to a workgroup (then restarting the client), then reinstating the domain membership (then restarting the client; it remains windows, after all...), then again trying to log in. Unfortunately, the message does not go away.
I tried a few other things, e.g. removing the machine entry from the server (by deleting it from /etc/passwd and the samba database, then reinstating it), also to no avail. And of course entering a new user and trying if he would be able to log in, nope.
I have also found that at some time, the local DNS (which is maintained by the ISP) gave a wrong IP address back when I pinged the Linux server. That might explain the problem (if the login server is not found, it would be hard to establish any relation whatsoever :-) ); however, after this problem was corrected, the login problem still existed.
Now we seem to be stuck. Any suggestion is welcome...

Jeremy Davis's picture

I am not very familiar with Samba so have no advice for you really sorry.

Probably not much help, but I guess worst case scenario you could try to update to a newer version and/or recreate the server? FWIW Samba4 (as included in Debian Jessie/TurnKey v14.x) can be configured the same as Samba3 essentially; or can instead be configured as an AD domain controller. It can also be configured as a AD domain member but we don't have a pre-baked option for that.

FYI Our fileserver appliance uses Samba3 type config to act as network storage server whereas our Domain Controller is configured as a Samba4 AD DC.

Jeremy Davis's picture

I have a bit of experience with Windows AD but nothing significant. Previously I've done sysadmin on a small AD network which used server 2003r2; I later upgraded it to Server 2008r2. So I know a little about the Win side. However beyond simple file sharing I've never really used Samba. I did a bit of work on our DC appliance but I'm still no expert.

Is this server running on hardware or is it a VM? If it's a VM (or you have facility to host one somewhere) perhaps you could do some tests with a new server (look to replace the old one)?

And yes in a AD domain, DNS is REALLY important. In Windows AD networks I have set up (using Windows Server) I have always used the DC as the DNS is provider. My understanding is that it should be that way... The DNS can then forward requests elsewhere but it needs the right entries for AD to work properly. So all domain members should be getting DNS from the DC. Obviously that requirement isn't so strict for Samba, but AFAIK the theory remains. As I said Samba4 DC should work OOTB...

Jeremy Davis's picture

I just realised that you may not be using TurnKey Linux... Seeing as this is our forums I just assumed you were... If not TurnKey then what distro are you using?

I know that there have been some recent security updates to Samba (at least in Debian/TurnKey but probably others too). Perhaps that has resulted in tougher requirements? Perhaps your network was (inadvertently) relying on the security bug?

Jeremy Davis's picture

Are you using the Domain Controller appliance or the Fileserver? When you say it "Started right after the 14.1 upgrade" does that mean you upgraded your server too? Or did it just happen around that time?

As I just posted above I know that Samba security patches have recently rolled out. There was a bug initially but it was resolved. The bug actually appeared to totally break Samba though so I'm not sure if you have the same issue.

FWIW the manual intervention for the Samba issue was:

apt-get update
apt-get install -f
Jeremy Davis's picture

As you may have picked up elsewhere, some serious security issues recently got patched in Samba. Perhaps your configuration was relying one of the fixed bugs? Or as you suggested perhaps there was some regression that many have not noticed.

TBH none of us TKL folks are Samba experts and as we're all Linux users we don't have easy access to the means to test or fiddle (i.e. Windows). Perhaps you could find someone to help you out on Upwork? We've posted jobs there before and had some great successes (although it can sometimes be something of a hit-and-miss). There are other freelancer type sites about too which might be worth a look?

Add new comment