0

I am struggling with a trust relationship issue between a windows 7 machine and my companies samba 3 domain controller. The issue is only arising when I try to add a domain user to my machine for admin permissions. I have adjusted the machines registry as per https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains under windows 7. The machine joins the domain just fine, but when I go to add a domain user to the machine I get "The user could not be added because the following error has occured: The trust relationship between this workstation and the primary domain failed."

Things we've tried: leaving and rejoining the domain, reseting the workstation to factory settings and starting over (regedit first).

I've tried to find the answer to this issue and everything I've come across is fixed by leaving and rejoining the domain.

I am realtively new to this field so I apologize if I've missed vital information or reports I should be including; if so please ask me for whatever it is and I'll do my best to provide it.

Thank you.

B Bensen
  • 3
  • 2

1 Answers1

1

Welcome to the club. Getting domain joins to work can be a black art, sometimes...

Samba needs an OS-level user for the machine, too. This user needs to have the format name$, where name is the machine name which you're trying to join, and $ is exactly that -- a dollar sign. If you use winbindd this happens automatically, but if you don't then you need to create that username yourself (e.g., by adding it to /etc/passwd).

Check if that user exists: run getent passwd machine$. If it doesn't, add it, or check if winbindd is working properly.

Apart from at the OS level, samba also needs to have the machine account in its own accounts database. In theory it should be possible for samba to add this on the fly when the join is attempted; but I find that in practice, it's more likely to work if you create them manually beforehand:

smbpasswd -m -a machine

Note: smbpasswd wants the machine name without the trailing $-sign (just to keep things interesting, I guess). The -m tells smbpasswd that you're dealing with a machine account; the -a tells it that you want it added to the database.

If all that doesn't help, play with the log level parameter in your smb.conf and look closely at the logs (post them if you can't figure it out)

Wouter Verhelst
  • 418
  • 3
  • 8
  • Thank you so much! Disconnected renamed set up the name as you suggested reconnected and now everything is working as expected. Thank you again! – B Bensen Jul 22 '16 at 12:44