Hallo,

wir haben bei einem Kunden das Problem, dass sich Benutzer (manchmal) auf einem Windows-Terminalserver nicht als Domänen-Benutzer anmelden können.
Die Fehlermeldung lautet:

“Die Vertrauensstellung zwischen dieser Arbeitsstation und der primären Domäne konnte nicht hergestellt werden”

Wenn der Backup-DC heruntergefahren wird, funktioniert es jedoch (lt. lokalem Admin) immer.

Soweit ich mich erinnere (war jetzt 2 Wochen in Urlaub) habe ich das Skript
/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh
ausgeführt und es sah ok aus.

Wir haben dort folgende UCS-Version:
version/erratalevel: 234
version/patchlevel: 3
version/releasename: Vahr
version/version: 4.1

Hier die Samba-Config vom PDC:

# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry überschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
#       /etc/univention/templates/files/etc/samba/smb.conf.d/10global
#       /etc/univention/templates/files/etc/samba/smb.conf.d/11univention-smb-service
#       /etc/univention/templates/files/etc/samba/smb.conf.d/21univention-samba_winbind
#       /etc/univention/templates/files/etc/samba/smb.conf.d/31univention-samba_password
#       /etc/univention/templates/files/etc/samba/smb.conf.d/41univention-samba_printing
#       /etc/univention/templates/files/etc/samba/smb.conf.d/51univention-samba_domain
#       /etc/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc
#       /etc/univention/templates/files/etc/samba/smb.conf.d/71univention-samba_users
#       /etc/univention/templates/files/etc/samba/smb.conf.d/81univention-quota_scripts
#       /etc/univention/templates/files/etc/samba/smb.conf.d/90univention-samba_user_shares
#       /etc/univention/templates/files/etc/samba/smb.conf.d/91univention-samba_shares
#       /etc/univention/templates/files/etc/samba/smb.conf.d/92univention-samba_shares
#       /etc/univention/templates/files/etc/samba/smb.conf.d/95univention-samba_local_config
#       /etc/univention/templates/files/etc/samba/smb.conf.d/99univention-samba_local_shares
#

; ---------------------<10global>------------------------
[global]
        debug level     = 1
        logging         = file
        max log size    = 0

        netbios name    = pdc
        server role     = active directory domain controller
        server string   = Univention Corporate Server
        server services = -dns -smb +s3fs -nbt
        server role check:inhibit = yes
        # use nmbd; to disable set samba4/service/nmb to s4
        nmbd_proxy_logon:cldap_server=127.0.0.1
        workgroup       = FIRMA
        realm           = FIRMA.AT

        tls enabled     = yes
        tls keyfile     = /etc/univention/ssl/pdc.firma.at/private.key
        tls certfile    = /etc/univention/ssl/pdc.firma.at/cert.pem
        tls cafile      = /etc/univention/ssl/ucsCA/CAcert.pem
        tls verify peer = ca_and_name
        ldap server require strong auth = allow_sasl_over_tls
        dsdb:schema update allowed = no
        max open files = 32808
        machine password timeout        = 0
        acl allow execute always = True

        # ignore interfaces in samba/register/exclude/interfaces
        bind interfaces only = yes
        interfaces = lo eth0

; ---------------------</10global>------------------------
; ---------------------<smb service configuration>-----------------------

        debug hirestimestamp = yes
        debug pid = yes
; ---------------------</smb service configuration>----------------------


        winbind separator = +
        template shell = /bin/bash
        template homedir = /home/%D-%U

        idmap config * : backend = tdb
        idmap config * : range = 300000-400000

        passwd chat = *New*password* %nn *Re-enter*new*password* %nn *password*changed*

        obey pam restrictions = yes
        encrypt passwords = yes

        ; printing
        load printers = yes
        printing = cups
        printcap name = cups
        spoolss: architecture = Windows NT x86

        ; domain service lookup related settings
        preferred master = yes
        local master = yes
        domain master = yes
        wins support = yes

        ; miscellaneous settings, mostly for file services
        oplocks = yes
        large readwrite = yes
        read raw = yes
        write raw = yes
        max xmit = 65535
        acl:search = no
        host msdfs = yes
        kernel oplocks = yes
        deadtime = 15
        getwd cache = yes
        wide links = no
        store dos attributes = yes
        logon home = \pdc%U
        logon drive = I:
        logon path = \pdc%Uwindows-profiles%a
        preserve case = yes
        short preserve case = yes

        guest account = nobody
        map to guest = Bad User
        admin users = administrator join-backup


        usershare max shares = 0


; -----------------------------------------------------------------------------------------------------------
        include = /etc/samba/base.conf
        include = /etc/samba/installs.conf

        include = /etc/samba/shares.conf
        include = /etc/samba/printers.conf



        include = /etc/samba/local.conf

Und vom BDC:

[code]# Warning: This file is auto-generated and might be overwritten by

univention-config-registry.

Please edit the following file(s) instead:

Warnung: Diese Datei wurde automatisch generiert und kann durch

univention-config-registry überschrieben werden.

Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):

/etc/univention/templates/files/etc/samba/smb.conf.d/10global

/etc/univention/templates/files/etc/samba/smb.conf.d/11univention-smb-service

/etc/univention/templates/files/etc/samba/smb.conf.d/21univention-samba_winbind

/etc/univention/templates/files/etc/samba/smb.conf.d/31univention-samba_password

/etc/univention/templates/files/etc/samba/smb.conf.d/41univention-samba_printing

/etc/univention/templates/files/etc/samba/smb.conf.d/51univention-samba_domain

/etc/univention/templates/files/etc/samba/smb.conf.d/61univention-samba_misc

/etc/univention/templates/files/etc/samba/smb.conf.d/71univention-samba_users

/etc/univention/templates/files/etc/samba/smb.conf.d/81univention-quota_scripts

/etc/univention/templates/files/etc/samba/smb.conf.d/90univention-samba_user_shares

/etc/univention/templates/files/etc/samba/smb.conf.d/91univention-samba_shares

/etc/univention/templates/files/etc/samba/smb.conf.d/92univention-samba_shares

/etc/univention/templates/files/etc/samba/smb.conf.d/95univention-samba_local_config

/etc/univention/templates/files/etc/samba/smb.conf.d/99univention-samba_local_shares

; ---------------------<10global>------------------------
[global]
debug level = 1
logging = file
max log size = 0

    netbios name    = bdc
    server role     = active directory domain controller
    server string   = Univention Corporate Server
    server services = -dns -smb +s3fs -nbt
    server role check:inhibit = yes
    # use nmbd; to disable set samba4/service/nmb to s4
    nmbd_proxy_logon:cldap_server=127.0.0.1
    workgroup       = FIRMA
    realm           = FIRMA.AT

    tls enabled     = yes
    tls keyfile     = /etc/univention/ssl/bdc.firma.at/private.key
    tls certfile    = /etc/univention/ssl/bdc.firma.at/cert.pem
    tls cafile      = /etc/univention/ssl/ucsCA/CAcert.pem
    tls verify peer = ca_and_name
    ldap server require strong auth = allow_sasl_over_tls
    dsdb:schema update allowed = no
    max open files = 32808
    machine password timeout        = 0
    acl allow execute always = True

    # ignore interfaces in samba/register/exclude/interfaces
    bind interfaces only = yes
    interfaces = lo eth0

; ---------------------</10global>------------------------
; --------------------------------------------

    debug hirestimestamp = yes
    debug pid = yes

; ---------------------</smb service configuration>----------------------

    winbind separator = +
    template shell = /bin/bash
    template homedir = /home/%D-%U

    idmap config * : backend = tdb
    idmap config * : range = 300000-400000

    passwd chat = *New*password* %nn *Re-enter*new*password* %nn *password*changed*

    obey pam restrictions = yes
    encrypt passwords = yes

    spoolss: architecture = Windows x64

    ; domain service lookup related settings
    preferred master = yes
    local master = yes
    domain master = auto

    ; miscellaneous settings, mostly for file services
    oplocks = yes
    large readwrite = yes
    read raw = yes
    write raw = yes
    max xmit = 65535
    acl:search = no
    host msdfs = yes
    kernel oplocks = yes
    deadtime = 15
    getwd cache = yes
    wide links = no
    store dos attributes = yes
    logon home = \bdc%U
    logon drive = I:
    logon path = \bdc%Uwindows-profiles%a
    preserve case = yes
    short preserve case = yes

    guest account = nobody
    map to guest = Bad User
    admin users = administrator join-backup


    usershare max shares = 0

; -----------------------------------------------------------------------------------------------------------
include = /etc/samba/base.conf
[/code]

Hat jemand Ideen?

TIA,
Roland.

Das sieht mir nach einer gestörten Replikation aus, das Maschinenpaßwort des Terminalservers stimmt auf den DC Back vermutlich nicht. Sieht hier alles in Ordnung aus:

samba-tool drs showrepl

Danke für den Hinweis.

Da gab es tatsächlich Probleme:

SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT failed: NT_STATUS_INVALID_PARAMETER
Default-First-Site-NamePDC
DSA Options: 0x00000001
DSA object GUID: 30677309-0b5d-4d68-be04-5e86d296de86
DSA invocationId: b0b438ec-cf30-45da-8978-16c38c367ab5

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:00:06 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                16285 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:00:06 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                16284 consecutive failure(s).
                Last success @ NTTIME(0)

DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:00:06 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                16475 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:00:06 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                16474 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:00:06 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                16355 consecutive failure(s).
                Last success @ NTTIME(0)

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:01:03 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                780696 consecutive failure(s).
                Last success @ NTTIME(0)

DC=DomainDnsZones,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:01:04 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                779803 consecutive failure(s).
                Last success @ NTTIME(0)

DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:01:04 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                785903 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:01:04 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                784048 consecutive failure(s).
                Last success @ NTTIME(0)

CN=Configuration,DC=firma,DC=at
        Default-First-Site-NameBDC via RPC
                DSA object GUID: 11e52d0a-620d-4591-ba4b-ed831cfb2bb9
                Last attempt @ Thu Feb  2 10:01:04 2017 CET failed, result 31 (WERR_GENERAL_FAILURE)
                776157 consecutive failure(s).
                Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 22e7788a-3282-4fcc-81f9-2c5cb9e15cda
        Enabled        : TRUE
        Server DNS name : bdc.firma.at
        Server DN name  : CN=NTDS Settings,CN=BDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=firma,DC=at
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

Ich habe den DC dann neu gejoined und danach sah es so aus:

Default-First-Site-NameBDC
DSA Options: 0x00000001
DSA object GUID: b78a2935-c1a0-4479-9eb2-7e19ccd4a09d
DSA invocationId: cb9195e8-a7d5-4397-a068-1bfb01a8a110

==== INBOUND NEIGHBORS ====

CN=Schema,CN=Configuration,DC=firma,DC=at
        Default-First-Site-NamePDC via RPC
                DSA object GUID: 30677309-0b5d-4d68-be04-5e86d296de86
                Last attempt @ Thu Feb  2 10:06:40 2017 CET was successful
                0 consecutive failure(s).
                Last success @ Thu Feb  2 10:06:40 2017 CET

DC=firma,DC=at
        Default-First-Site-NamePDC via RPC
                DSA object GUID: 30677309-0b5d-4d68-be04-5e86d296de86
                Last attempt @ Thu Feb  2 10:06:40 2017 CET was successful
                0 consecutive failure(s).
                Last success @ Thu Feb  2 10:06:40 2017 CET

DC=ForestDnsZones,DC=firma,DC=at
        Default-First-Site-NamePDC via RPC
                DSA object GUID: 30677309-0b5d-4d68-be04-5e86d296de86
                Last attempt @ Thu Feb  2 10:06:40 2017 CET was successful
                0 consecutive failure(s).
                Last success @ Thu Feb  2 10:06:40 2017 CET

DC=DomainDnsZones,DC=firma,DC=at
        Default-First-Site-NamePDC via RPC
                DSA object GUID: 30677309-0b5d-4d68-be04-5e86d296de86
                Last attempt @ Thu Feb  2 10:06:40 2017 CET was successful
                0 consecutive failure(s).
                Last success @ Thu Feb  2 10:06:40 2017 CET

CN=Configuration,DC=firma,DC=at
        Default-First-Site-NamePDC via RPC
                DSA object GUID: 30677309-0b5d-4d68-be04-5e86d296de86
                Last attempt @ Thu Feb  2 10:06:40 2017 CET was successful
                0 consecutive failure(s).
                Last success @ Thu Feb  2 10:06:40 2017 CET

==== OUTBOUND NEIGHBORS ====

==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 6c5f5bd4-d705-415d-9b5b-fac75820e6f1
        Enabled        : TRUE
        Server DNS name : pdc.firma.at
        Server DN name  : CN=NTDS Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=firma,DC=at
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

Das scheint also den Fehler behoben zu haben, soweit ich das beurteilen kann.

Wie könnte dieses Problem entstanden sein?

LG,
Roland.

Freut mich, daß sich das Problem erledigt hat.

Zur Ursache kann man vermutlich nur spekulieren.