Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Permissions problems with Samba PDC, Samba Domain Member and XP workstation combo.


    I have not been able to figure out why I am getting the following error in the scenario that I have:
    "The trust relationship between this workstation and the primary domain failed"

    Some of the configs may look a bit too permissive. I was attempting to open it up and then close shares etc. again once I resolved the issue.

    In general I have a Samba PDC which uses LDAP and kerberos for authentication. I am using:

    smbldap-tools 0.9.5-1
    samba 3.0.28
    openldap 2.3.27-8
    kerberos 1.6.1-25
    CentOS 5.2

    I have read about problems with samba 3.0.23 in this area but it sounded like that was resolved. Is that still an issue?

    I have a Samba PDC with the following smb.conf:
            idmap gid = 16777216-33554431
            delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
            time server = yes
            dns proxy = no
            cups options = raw
            netbios name = HMDCSIN
            ldap passwd sync = yes
            idmap uid = 16777216-33554431
            logon script = logon.bat
            local master = yes
            workgroup = HMDCS1
            os level = 65
            debug level = 256
            ldap admin dn = cn=manager,dc=ldapsrv,dc=in,dc=localdomain,dc=local
            printcap name = /etc/printcap
            security = user
            add machine script = /usr/sbin/smbldap-useradd -w "%m"
            delete user script = /usr/sbin/smbldap-userdel "%u"
            log level = 10
            log file = /var/log/samba/%m.log
            load printers = yes
            ldap user suffix = ou=Users
            add group script = /usr/sbin/smbldap-groupadd -p "%g"
            delete group script = /usr/sbin/smbldap-groupdel "%g"
            logon drive =
            domain master = yes
            encrypt passwords = yes
            winbind use default domain = no
            passdb backend = ldapsam:ldap://
            passdb backend = ldapsam:ldap://
            logon home =  \\HMDCSIN\homedir\%U
            template shell = /bin/false
            wins support = true
            ldap delete dn = yes
            ldap group suffix = ou=Groups
            server string = Samba Server Version %v
            ldap machine suffix = ou=Users
            ldap suffix = dc=ldapsrv,dc=in,dc=localdomain,dc=local
            logon path =
            add user script = /usr/sbin/smbldap-useradd -m "%u"
            set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
            syslog = 3
            domain logons = yes
       comment = Home Directories
       browseable = no
       writable = yes
       valid users = %S
       read only = No
       create mask = 0644
       directory mask = 0775
       path = /home/samba/homedir/%U
            browseable = yes
            writable = yes
            path = /home/samba/stmp
            guest ok = yes
            comment = Students Temporary file space
            public = yes
            create mode = 777
            directory mode = 777
    comment = Network Logon Service
    path = /home/samba/netlogon
    guest ok = yes
    writable = no
    share modes = no
    I have a Samba Domain member with the following smb.conf:
            netbios name = ldb15.local
            local master = No
            workgroup = HMDCS1
            os level = 33
            security = domain
            max log size = 1000
            log level = 10
            log file = /var/log/samba/%m.log
            wins server =
            domain master = No
    #       password server = *
    #       logon home =
    #       server string = Samba Server Version %v
    #       logon path =
            syslog = 10
    #       preferred master = no
            comment = Home Directories
            path = /home/samba/homedir/%U
            valid users = %S
            read only = No
            create mask = 0644
            directory mask = 0777
            browseable = Yes
            guest ok = Yes
            comment = Students Temporary file space
            path = /home/samba/stmp
            read only = No
            guest ok = Yes
    I have added a machine account for the domain member to the Samba PDC using smbldap-useradd. It allowed me to perform the join successfully. Although it might have lied.

    The XP workstation has successfully joined the HMDCS1 domain and when I log in as an authenticated user, I can see HMDCSIN, the XP workstation and the Samba Domain member, all listed under HMDCS1 Domain. Looks good.

    If I click on HMDCSIN, I get shares, if I click on ibm_01 (the XP workstation), I get shares. If I click on the Samba Domain member I get the above error.

    I've been looking at the logs on both sides since the weekend. Using wireshark no nasty messages. I just can't see an obvious problem. Do I possibly have some of the settings conflicting between the PDC and the DM? There are likely alot more details I could post but not sure if they are necessary at this time or would just clutter up the posting.

    Any suggestions on what the next debugging step I might take is? Docs I might have missed? What 's it thinking right about then?

    I have re-joined the workstation a couple of times.


  2. #2

    Permissions problems with Samba PDC, Samba Domain Member and XP workstation combo.


    Okay, I ended up making the following changes to smb.conf on the Domain member:

    password server = <hostname>
    realm = <realm>

    That's pretty much it. Deleted the machine account on the PDC, did a testjoin to make sure it was dead. Changed my hostname (had a conflict) and then rejoined.

    Now I can see the Domain Member and go into all but one directory so that's minor. However, now I'm not sure if this is how I need to accomplish my goal.

    I have a school setup with Samba PDC/LDAP/Kerberos, Samba Domain member, which will authenticate against the LDAP/Kerberos on the PDC. When a student logs in I want their home directory to be on the Domain member, but if a staff member logs in, I want their home directory to be on the PDC. Any suggestions of the Samba configuration I would need? Or is it just a login script issue I need to look at?

    Last edited by lindad; 11-05-2008 at 11:39 PM. Reason: add braces around realm

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts