joop gerritse's picture

Hello, *

we have a server (Debian) running Samba version 3.6.6 serving about twenty workstations running Windows 7.
All of a sudden, all users are unable to log in, with the message "The trust relationship between this workstation and the primary domain failed."
Some googling shows that the problem is not unknown, and the usual solution seems to be to remove it from the domain, set it to a workgroup (then restarting the client), then reinstating the domain membership (then restarting the client; it remains windows, after all...), then again trying to log in. Unfortunately, the message does not go away.
I tried a few other things, e.g. removing the machine entry from the server (by deleting it from /etc/passwd and the samba database, then reinstating it), also to no avail. And of course entering a new user and trying if he would be able to log in, nope.
I have also found that at some time, the local DNS (which is maintained by the ISP) gave a wrong IP address back when I pinged the Linux server. That might explain the problem (if the login server is not found, it would be hard to establish any relation whatsoever :-) ); however, after this problem was corrected, the login problem still existed.
Now we seem to be stuck. Any suggestion is welcome...

Forum: 
Tags: 
Jeremy Davis's picture

I am not very familiar with Samba so have no advice for you really sorry.

Probably not much help, but I guess worst case scenario you could try to update to a newer version and/or recreate the server? FWIW Samba4 (as included in Debian Jessie/TurnKey v14.x) can be configured the same as Samba3 essentially; or can instead be configured as an AD domain controller. It can also be configured as a AD domain member but we don't have a pre-baked option for that.

FYI Our fileserver appliance uses Samba3 type config to act as network storage server whereas our Domain Controller is configured as a Samba4 AD DC.

joop gerritse's picture

Thank you. I have thought of an update, but i am afraid that it will only make things worse. Problem is, it always worked, until our ISP (who also manages our local DNS server) created a problem. Then I found that ping linuxserver no longer replied from its fixed addres 10.0.0.3, but instead from 10.0.0.4.

Of course that would account for not being able to login, but unfortunately, after the DNS problem was fixed, the logins still did not work.

I do not know a lot about Windows (except that it is complicated)-- it seems to use DNS to  find the PDC, but there it stops. I do not even know which name it uses to find the PDC, and that makes it difficult to fix it.

Jeremy Davis's picture

I have a bit of experience with Windows AD but nothing significant. Previously I've done sysadmin on a small AD network which used server 2003r2; I later upgraded it to Server 2008r2. So I know a little about the Win side. However beyond simple file sharing I've never really used Samba. I did a bit of work on our DC appliance but I'm still no expert.

Is this server running on hardware or is it a VM? If it's a VM (or you have facility to host one somewhere) perhaps you could do some tests with a new server (look to replace the old one)?

And yes in a AD domain, DNS is REALLY important. In Windows AD networks I have set up (using Windows Server) I have always used the DC as the DNS is provider. My understanding is that it should be that way... The DNS can then forward requests elsewhere but it needs the right entries for AD to work properly. So all domain members should be getting DNS from the DC. Obviously that requirement isn't so strict for Samba, but AFAIK the theory remains. As I said Samba4 DC should work OOTB...

joop gerritse's picture

No, it is no VM. It is running Linux, Samba is just an application. And file access from the work stations works perfectly. And login-- well I never liked it, but until now, it at least worked.

Jeremy Davis's picture

I just realised that you may not be using TurnKey Linux... Seeing as this is our forums I just assumed you were... If not TurnKey then what distro are you using?

I know that there have been some recent security updates to Samba (at least in Debian/TurnKey but probably others too). Perhaps that has resulted in tougher requirements? Perhaps your network was (inadvertently) relying on the security bug?

Dan Jebens's picture

We are having the same issue.  Started right after the 14.1 upgrade.  I believe it is a bug but just not documented yet  If I find something I will post here.  Please do the same.

 

Dan

Jeremy Davis's picture

Are you using the Domain Controller appliance or the Fileserver? When you say it "Started right after the 14.1 upgrade" does that mean you upgraded your server too? Or did it just happen around that time?

As I just posted above I know that Samba security patches have recently rolled out. There was a bug initially but it was resolved. The bug actually appeared to totally break Samba though so I'm not sure if you have the same issue.

FWIW the manual intervention for the Samba issue was:

apt-get update
apt-get install -f
Dan Jebens's picture

Hi Jeremy,

It turns out my issues seem unrelated to the 14.1 upgrade other than they happenned around the same time.  We have had TL DC appliance for 3 years and had only 1 issues other than this.  We use the TL device as a NT4 style Domain Controller and have a Synolgy NAS box that is joined to the domain as our fileserver.  The DC validates our windows client logins and little else.  As such we run on some thin hardware (a Zotac zBox, 8gb Ram, 64gb SSD). Our system seems to be running TL13 (Debian 7 and Samba 3.6.6) and is set for automatic updates over the weekend.

Of course while I was on vacation something went wrong and no one could login to their windows machines unless they unplugged their NIC cable to use the cached login.  The message they get is the trust relationship has failed.

It is kind of weird since I can add a machine to the Domain but then get the message the domain controller can't be contacted or my machine has no account on the domain (yet I can see the new machine on the users list with a $ in its name). 

I have tried all the suggestions in this thread, tried a new install on duplicate hardware.  Unlike others my system isn't coming online.  It seems like some of the samba functions are working but not the login piece.

Most of our systems are in the cloud so the DC and Fileserver aren't critical to our operations but a few people use the fileserver extensively and I just created local accounts on the NAS to get them operational.  The fileserver can not see the domain users or groups either.

Any ideas? Are there any TL consultants that I could hire to help with this issue? 

Dan

Jeremy Davis's picture

As you may have picked up elsewhere, some serious security issues recently got patched in Samba. Perhaps your configuration was relying one of the fixed bugs? Or as you suggested perhaps there was some regression that many have not noticed.

TBH none of us TKL folks are Samba experts and as we're all Linux users we don't have easy access to the means to test or fiddle (i.e. Windows). Perhaps you could find someone to help you out on Upwork? We've posted jobs there before and had some great successes (although it can sometimes be something of a hit-and-miss). There are other freelancer type sites about too which might be worth a look?

Dan Jebens's picture

Note: I also followed the "Samba does not start" post.  I tried all the solutions in that post as well.

joop gerritse's picture

Although I am the OP, I have been off the Internet, not by choice, but by an act of God ;-) A bolt of lightning struck across the street, and destroyed a lot of telecomms infrastructure. Until yesterday evening I could not even read my email.

I have in the meantime heard that there are really some incompatibility problems with newer releases of Samba on Debian. We have fixed it by downgrading to a lower version. For the time being, that is...

Add new comment