You are here
Hello, *
we have a server (Debian) running Samba version 3.6.6 serving about twenty workstations running Windows 7.
All of a sudden, all users are unable to log in, with the message "The trust relationship between this workstation and the primary domain failed."
Some googling shows that the problem is not unknown, and the usual solution seems to be to remove it from the domain, set it to a workgroup (then restarting the client), then reinstating the domain membership (then restarting the client; it remains windows, after all...), then again trying to log in. Unfortunately, the message does not go away.
I tried a few other things, e.g. removing the machine entry from the server (by deleting it from /etc/passwd and the samba database, then reinstating it), also to no avail. And of course entering a new user and trying if he would be able to log in, nope.
I have also found that at some time, the local DNS (which is maintained by the ISP) gave a wrong IP address back when I pinged the Linux server. That might explain the problem (if the login server is not found, it would be hard to establish any relation whatsoever :-) ); however, after this problem was corrected, the login problem still existed.
Now we seem to be stuck. Any suggestion is welcome...
Sorry I have no idea...
Probably not much help, but I guess worst case scenario you could try to update to a newer version and/or recreate the server? FWIW Samba4 (as included in Debian Jessie/TurnKey v14.x) can be configured the same as Samba3 essentially; or can instead be configured as an AD domain controller. It can also be configured as a AD domain member but we don't have a pre-baked option for that.
FYI Our fileserver appliance uses Samba3 type config to act as network storage server whereas our Domain Controller is configured as a Samba4 AD DC.
Thank you. I have thought of
Thank you. I have thought of an update, but i am afraid that it will only make things worse. Problem is, it always worked, until our ISP (who also manages our local DNS server) created a problem. Then I found that ping linuxserver no longer replied from its fixed addres 10.0.0.3, but instead from 10.0.0.4.
Of course that would account for not being able to login, but unfortunately, after the DNS problem was fixed, the logins still did not work.
I do not know a lot about Windows (except that it is complicated)-- it seems to use DNS to find the PDC, but there it stops. I do not even know which name it uses to find the PDC, and that makes it difficult to fix it.
The blind leading the blind! :)
Is this server running on hardware or is it a VM? If it's a VM (or you have facility to host one somewhere) perhaps you could do some tests with a new server (look to replace the old one)?
And yes in a AD domain, DNS is REALLY important. In Windows AD networks I have set up (using Windows Server) I have always used the DC as the DNS is provider. My understanding is that it should be that way... The DNS can then forward requests elsewhere but it needs the right entries for AD to work properly. So all domain members should be getting DNS from the DC. Obviously that requirement isn't so strict for Samba, but AFAIK the theory remains. As I said Samba4 DC should work OOTB...
No, it is no VM. It is
No, it is no VM. It is running Linux, Samba is just an application. And file access from the work stations works perfectly. And login-- well I never liked it, but until now, it at least worked.
Is this TurnKey? Or even Debian?
I know that there have been some recent security updates to Samba (at least in Debian/TurnKey but probably others too). Perhaps that has resulted in tougher requirements? Perhaps your network was (inadvertently) relying on the security bug?
trust relationship fail
We are having the same issue. Started right after the 14.1 upgrade. I believe it is a bug but just not documented yet If I find something I will post here. Please do the same.
Dan
Thanks for your input Dan
As I just posted above I know that Samba security patches have recently rolled out. There was a bug initially but it was resolved. The bug actually appeared to totally break Samba though so I'm not sure if you have the same issue.
FWIW the manual intervention for the Samba issue was:
Domain Controller issues
Hi Jeremy,
It turns out my issues seem unrelated to the 14.1 upgrade other than they happenned around the same time. We have had TL DC appliance for 3 years and had only 1 issues other than this. We use the TL device as a NT4 style Domain Controller and have a Synolgy NAS box that is joined to the domain as our fileserver. The DC validates our windows client logins and little else. As such we run on some thin hardware (a Zotac zBox, 8gb Ram, 64gb SSD). Our system seems to be running TL13 (Debian 7 and Samba 3.6.6) and is set for automatic updates over the weekend.
Of course while I was on vacation something went wrong and no one could login to their windows machines unless they unplugged their NIC cable to use the cached login. The message they get is the trust relationship has failed.
It is kind of weird since I can add a machine to the Domain but then get the message the domain controller can't be contacted or my machine has no account on the domain (yet I can see the new machine on the users list with a $ in its name).
I have tried all the suggestions in this thread, tried a new install on duplicate hardware. Unlike others my system isn't coming online. It seems like some of the samba functions are working but not the login piece.
Most of our systems are in the cloud so the DC and Fileserver aren't critical to our operations but a few people use the fileserver extensively and I just created local accounts on the NAS to get them operational. The fileserver can not see the domain users or groups either.
Any ideas? Are there any TL consultants that I could hire to help with this issue?
Dan
Hmm, seems really weird...
TBH none of us TKL folks are Samba experts and as we're all Linux users we don't have easy access to the means to test or fiddle (i.e. Windows). Perhaps you could find someone to help you out on Upwork? We've posted jobs there before and had some great successes (although it can sometimes be something of a hit-and-miss). There are other freelancer type sites about too which might be worth a look?
Domain Controller issues addendum
Note: I also followed the "Samba does not start" post. I tried all the solutions in that post as well.
Sorry I have been absent from mail for a while
Although I am the OP, I have been off the Internet, not by choice, but by an act of God ;-) A bolt of lightning struck across the street, and destroyed a lot of telecomms infrastructure. Until yesterday evening I could not even read my email.
I have in the meantime heard that there are really some incompatibility problems with newer releases of Samba on Debian. We have fixed it by downgrading to a lower version. For the time being, that is...
Add new comment