Forums

AndyL
AndyL
Offline
Resolved
0 votes
We had a bit of an oddity this morning when we tried to log on. On our Windows 7 machines, we had a message "the trust between this machine and the domain controller has failed". On the third log in attempt, it suceeded. The Windows XP machines seemed to log on ok with no problem. Below is the log file for my Windows 7 machine (LT1) log on.

[2010/03/08 09:11:06, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client LT1 machine account LT1$
[2010/03/08 09:11:07, 1] smbd/session.c:111(session_claim)
Re-using invalid record
[2010/03/08 09:11:41, 1] smbd/session.c:111(session_claim)
Re-using invalid record
[2010/03/08 09:11:41, 1] smbd/service.c:1063(make_connection_snum)
lt1 (10.0.0.83) connect to service andy.lawton initially as user andy.lawton (uid=1000, gid=400) (pid 8479)
[2010/03/08 09:11:42, 1] smbd/service.c:1063(make_connection_snum)
lt1 (10.0.0.83) connect to service netlogon initially as user andy.lawton (uid=1000, gid=400) (pid 8479)
[2010/03/08 09:11:54, 1] smbd/service.c:1240(close_cnum)
lt1 (10.0.0.83) closed connection to service netlogon
[2010/03/08 17:07:44, 0] lib/util_sock.c:539(read_fd_with_timeout)
[2010/03/08 17:07:44, 0] lib/util_sock.c:1491(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
read_fd_with_timeout: client 0.0.0.0 read error = No route to host.
[2010/03/08 17:07:44, 1] smbd/service.c:1240(close_cnum)
lt1 (10.0.0.83) closed connection to service andy.lawton
[2010/03/09 09:11:14, 1] smbd/session.c:111(session_claim)
Re-using invalid record
[2010/03/09 09:11:14, 1] smbd/service.c:1063(make_connection_snum)
lt1 (10.0.0.83) connect to service andy.lawton initially as user andy.lawton (uid=1000, gid=400) (pid 12383)
[2010/03/09 09:11:14, 1] smbd/service.c:1063(make_connection_snum)
lt1 (10.0.0.83) connect to service netlogon initially as user andy.lawton (uid=1000, gid=400) (pid 12383)
[2010/03/09 09:11:24, 1] smbd/service.c:1240(close_cnum)
lt1 (10.0.0.83) closed connection to service netlogon
[2010/03/09 14:17:01, 0] smbd/nttrans.c:2119(call_nt_transact_ioctl)
call_nt_transact_ioctl(0x900eb): Currently not implemented.
[2010/03/09 17:19:46, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 17:19:46, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 17:51:08, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 17:51:08, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 17:51:08, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 17:51:08, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 17:51:08, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 17:51:08, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 17:51:08, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 17:51:08, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 17:51:08, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 17:51:08, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 17:51:08, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 18:41:07, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 18:41:07, 1] smbd/service.c:676(make_connection_snum)
create_connection_server_info failed: NT_STATUS_ACCESS_DENIED
[2010/03/09 19:19:22, 0] lib/util_sock.c:539(read_fd_with_timeout)
[2010/03/09 19:19:22, 0] lib/util_sock.c:1491(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
read_fd_with_timeout: client 0.0.0.0 read error = No route to host.
[2010/03/09 19:19:22, 1] smbd/service.c:1240(close_cnum)
lt1 (10.0.0.83) closed connection to service andy.lawton
[2010/03/10 09:04:53, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client LT1 machine account LT1$
[2010/03/10 09:04:53, 1] smbd/session.c:111(session_claim)
Re-using invalid record
[2010/03/10 09:05:26, 1] smbd/session.c:111(session_claim)
Re-using invalid record
[2010/03/10 09:05:26, 1] smbd/service.c:1063(make_connection_snum)
lt1 (10.0.0.83) connect to service andy.lawton initially as user andy.lawton (uid=1000, gid=400) (pid 26091)
[2010/03/10 09:05:26, 1] smbd/service.c:1063(make_connection_snum)
lt1 (10.0.0.83) connect to service netlogon initially as user andy.lawton (uid=1000, gid=400) (pid 26091)
[2010/03/10 09:05:39, 1] smbd/service.c:1240(close_cnum)
lt1 (10.0.0.83) closed connection to service netlogon
[2010/03/10 13:44:18, 1] smbd/service.c:1240(close_cnum)
lt1 (10.0.0.83) closed connection to service andy.lawton
[2010/03/10 15:34:12, 1] smbd/session.c:111(session_claim)
Re-using invalid record
[2010/03/10 15:34:12, 1] smbd/service.c:1063(make_connection_snum)
lt1 (10.0.0.83) connect to service andy.lawton initially as user andy.lawton (uid=1000, gid=400) (pid 6427)
[2010/03/10 18:10:33, 1] smbd/service.c:1240(close_cnum)
lt1 (10.0.0.83) closed connection to service andy.lawton
[2010/03/11 09:14:37, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client LT1 machine account LT1$
[2010/03/11 09:14:37, 1] smbd/session.c:111(session_claim)
Re-using invalid record
[2010/03/11 09:15:11, 1] smbd/session.c:111(session_claim)
Re-using invalid record
[2010/03/11 09:15:11, 1] smbd/service.c:1063(make_connection_snum)
lt1 (10.0.0.83) connect to service andy.lawton initially as user andy.lawton (uid=1000, gid=400) (pid 474)
[2010/03/11 09:15:12, 1] smbd/service.c:1063(make_connection_snum)
lt1 (10.0.0.83) connect to service netlogon initially as user andy.lawton (uid=1000, gid=400) (pid 474)
[2010/03/11 09:15:27, 1] smbd/service.c:1240(close_cnum)
lt1 (10.0.0.83) closed connection to service netlogon
[2010/03/11 17:10:23, 1] smbd/service.c:1240(close_cnum)
lt1 (10.0.0.83) closed connection to service andy.lawton
[2010/03/12 09:18:28, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client LT1 machine account LT1$
[2010/03/12 09:18:28, 1] smbd/session.c:111(session_claim)
Re-using invalid record
[2010/03/12 09:19:03, 1] smbd/session.c:111(session_claim)
Re-using invalid record
[2010/03/12 09:19:03, 1] smbd/service.c:1063(make_connection_snum)
lt1 (10.0.0.83) connect to service andy.lawton initially as user andy.lawton (uid=1000, gid=400) (pid 10499)
[2010/03/12 09:19:03, 1] smbd/service.c:1063(make_connection_snum)
lt1 (10.0.0.83) connect to service netlogon initially as user andy.lawton (uid=1000, gid=400) (pid 10499)
[2010/03/12 09:19:16, 1] smbd/service.c:1240(close_cnum)
lt1 (10.0.0.83) closed connection to service netlogon


We all eventually logged on Ok and all seems well.
I have made no changes to the server at all since it was installed at the beginning of the year.
No extra packages are installed.
Should I be worried about this? Anyone know what it means?
Friday, March 12 2010, 11:29 AM
Share this post:
Responses (13)
  • Accepted Answer

    Tuesday, April 20 2010, 02:04 AM - #Permalink
    Resolved
    1 votes
    Tim Burgess wrote:
    Glad you found the solution! I recall that cropping up elsewhere for Windows 2008... that ought to be added to the Primary Domain Controller how to

    I've also amended my Windows7DomainFix.reg to include the above :)


    Tim,

    Please do NOT include that registry change for Windows 7. The fact that the client can connect (user can login) after many reties means that NTLM2 is NOT the problem, if it was the problem the login would fail every time. This comment is added to avoid spreading folk-lore that is plainly wrong.

    Please check the original poster's log fragment - it contains a warning that the transport endpoint was disconnected. This means that Samba tried to respond to the client, but the client dropped the network connection.

    The most common causes of the client dropping the connection is a network transport layer problem. Usually this is caused by something as simple as a bad NIC, a bad switch, or (in the case of a Realtek NIC) occassionally use of the incorrect NIC driver.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 12 2010, 12:22 PM - #Permalink
    Resolved
    0 votes
    There has been an issue with samba account passwords expiring, which may also be affecting your machine trust accounts - can you check the output of the following

    pdbedit -u LT1$ -v | grep -i password

    Password last set: Sat, 20 Feb 2010 14:15:17 GMT
    Password can change: Sat, 20 Feb 2010 14:15:17 GMT
    Password must change: never
    Last bad password : 0
    Bad password count : 0

    Where LT1$ appears to be your machine account name

    Do you have all the recent updates applied to ClearOS? there have been some Samba upgrades recently
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 12 2010, 12:24 PM - #Permalink
    Resolved
    0 votes
    Oh and for the actual use themselves ...
    pdbedit -u username -v | grep -i password
    The reply is currently minimized Show
  • Accepted Answer

    AndyL
    AndyL
    Offline
    Friday, March 12 2010, 12:30 PM - #Permalink
    Resolved
    0 votes
    The output of pdbedit is:

    Password last set: Fri, 05 Mar 2010 09:25:11 GMT
    Password can change: Fri, 05 Mar 2010 09:25:11 GMT
    Password must change: Wed, 01 Sep 2010 10:25:11 BST
    Last bad password : 0
    Bad password count : 0

    The last updates are from the Software Updates page:
    :
    samba - Samba SMB client and server 3.4.6-1.1.v5 03/04/10 03/04/10
    samba-client - Samba (SMB) client programs. 3.4.6-1.1.v5 03/04/10 03/04/10
    samba-common - Files used by both Samba servers and clients. 3.4.6-1.1.v5 03/04/10 03/04/10
    samba-schema - Samba LDAP schema 3.4.6-1.1.v5 03/04/10 03/04/10
    samba-winbind - Samba winbind 3.4.6-1.1.v5 03/04/10 03/04/10

    So it looks like the passwords are set to expire - but not for a while yet. How do I change that?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 12 2010, 12:52 PM - #Permalink
    Resolved
    0 votes
    There is another recent update to 3.4.7-1 which should include the changes. The original bug was submitted on the 2nd Mar so may have just missed the 3.4.6 update... ClearCenter update page doesn't show 3.4.7 yet
    http://clearsdn.clearcenter.com/software/browse.php?pid=10510

    yum clean all
    yum upgrade

    From the console should do the trick
    The reply is currently minimized Show
  • Accepted Answer

    AndyL
    AndyL
    Offline
    Friday, March 12 2010, 01:43 PM - #Permalink
    Resolved
    0 votes
    That seems to have done the trick with the password expiry date.

    Let's see if we get the same problems on Monday!

    Many thanks Tim.
    The reply is currently minimized Show
  • Accepted Answer

    AndyL
    AndyL
    Offline
    Monday, March 15 2010, 10:55 AM - #Permalink
    Resolved
    0 votes
    Well it's Monday morning and the same problem seems to still be here. It took me 4 attempts to log in this morning, with the "failed trust" error as before. One of the users had a problem with his XP machine, with the error being along the lines of the machine was not recognised. Trying a few more times allows you to log in.

    The log file shows:

    [2010/03/15 09:14:52, 0] rpc_server/srv_netlog_nt.c:603(_netr_ServerAuthenticate3)
    _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client LT1 machine account LT1$
    [2010/03/15 09:14:53, 1] smbd/session.c:111(session_claim)
    Re-using invalid record
    [2010/03/15 09:15:27, 1] smbd/session.c:111(session_claim)
    Re-using invalid record
    [2010/03/15 09:15:27, 1] smbd/service.c:1063(make_connection_snum)
    lt1 (10.0.0.83) connect to service andy.lawton initially as user andy.lawton (uid=1000, gid=400) (pid 2837)
    [2010/03/15 09:15:28, 1] smbd/service.c:1063(make_connection_snum)
    lt1 (10.0.0.83) connect to service netlogon initially as user andy.lawton (uid=1000, gid=400) (pid 2837)
    [2010/03/15 09:15:38, 1] smbd/service.c:1240(close_cnum)
    lt1 (10.0.0.83) closed connection to service netlogon

    Any ideas Samba experts?
    The reply is currently minimized Show
  • Accepted Answer

    AndyL
    AndyL
    Offline
    Friday, April 16 2010, 11:25 AM - #Permalink
    Resolved
    0 votes
    I think I have a possible solution to this problem - I have logged in and out a few times with no issues, so so far, so good.

    There are two ways to make the change to Windows 7:

    - Open your security policy manager (start/run secpol.msc)
    - Select Local Policies -> Security Options
    - Navigate to the policy "Network Security: LAN Manager authentication level" and open it
    - Change the default policy to "Send LM & NTLM - use NTLMv2 session security if negotiated"

    or change the following registry setting :
    (you can put this in a reg file)

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "LmCompatibilityLevel"=dword:00000001

    As default, win7 uses NTLMv2. WindowsXP uses LM & NTLM. It's a bit less secure apparently, but I'm not worried about that.

    I'll keep an eye on it, but so far so good.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, April 16 2010, 12:01 PM - #Permalink
    Resolved
    0 votes
    Glad you found the solution! I recall that cropping up elsewhere for Windows 2008... that ought to be added to the Primary Domain Controller how to

    I've also amended my Windows7DomainFix.reg to include the above :)
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 20 2010, 03:08 PM - #Permalink
    Resolved
    0 votes
    John, thank you for keeping us on the straight and narrow :)

    I've removed it from the registry file
    The reply is currently minimized Show
  • Accepted Answer

    Ivan
    Ivan
    Offline
    Monday, July 04 2011, 01:33 PM - #Permalink
    Resolved
    0 votes
    Hi Andy,


    Did "LmCompatibilityLevel"=dword:00000001" finally fix your problem ? Or you had to add something in addition ?

    Kind Regards
    The reply is currently minimized Show
  • Accepted Answer

    AndyL
    AndyL
    Offline
    Monday, July 04 2011, 01:38 PM - #Permalink
    Resolved
    0 votes
    Since I posted that question, there have been a lot of changes where I work - one of them primarily being that we don't use the domain at the moment.
    However, I do not believe that you need that registry entry. See John Terpstra's reply in this thread.
    The reply is currently minimized Show
  • Accepted Answer

    Ivan
    Ivan
    Offline
    Monday, July 04 2011, 01:42 PM - #Permalink
    Resolved
    0 votes
    I'll continue to chase it.. probably it happens after upgrade and is related to the group mapping..

    Many Thanks for your prompt reply !!
    The reply is currently minimized Show
Your Reply