When Windows clients loose their trust-relationship to the domain

Recommendations for handling Bug 43786 (Clients loose their trust-relationship to the domain):

In case a Windows client shows the error message “Trust Relationship between Workstation and Primary Domain failed”, please collect information about the affected windows client by downloading the script from https://forge.univention.org/bugzilla/attachment.cgi?id=8900 and running it as root on the UCS Samba/AD DC, that the client uses as %LOGONSERVER%, giving the name of the client as argument:

1. Download and execute the Script

wget https://forge.univention.org/bugzilla/attachment.cgi?id=8900 -O collect_windowsclient_info.sh
chmod 755 collect_windowsclient_info.sh
./collect_windowsclient_info.sh  <short-windows-client-hostname>

The Information gets logged into a file named -.log
Please send the data in encrypted format, as described in http://sdb.univention.de/1344

2. Rejoin the client

To make the client work again please just rejoin the client usual.

3. Reproduce the issue

If possible, it would be great to collect mor information about the issue: To make the problem reproducible in a short time, it may be good to set trigger the machine password change each (second) day. This can be achieved by setting the followng registry key locally on the affected windows client:

Login as Administrator to the affected Windows client.
start regedit (e.g. via Windows-R), open HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>services>Netlogon>Parameters and double-click MaximumPasswordAge. Change the value to 1 and hit ok.

Next it would be good to raise the Samba debug level of the UCS Samba/AD Domain controllers to 4 and restart samba. This can be done by running the following line on each of hte UCS Samba/AD DCs that are reachable for the Windows Client:

ucr set samba/debug/level=4; /etc/init.d/samba restart

If the affected Windows client is joined into a UCS@school Slave Server (i.e. not in the central department), it’s enough to raise the debug level on the respective UCS@school Slave DCs responsible for the particular school location.

Next, it would be optimal if the network trafic between the affected client and the UCS Samba/AD DC could be monitored for the next 6 days. This can be achieved by downloading the following script to the corresponding UCS Samba/AD DCs:

wget https://forge.univention.org/bugzilla/attachment.cgi?id=8901 -O log_client_communication.sh

Please start a screen session on the DC and run the script interactively like this:

chmod 755 log_client_communication.sh
./log_client_communication.sh  <short-windows-client-hostname>

Leave the script running a couple of days until the client looses the domain membership again. Keep an eye on the avaiable disc space during that time. After the issue happend again for that client, the script can be stopped with the key combination (or on a german keyboard). When receiving this signal the script will store all data in and tar.bz2 archive file and output an explanation how to send that data as an encrypted file.

Please also collect once again the information logged about the windows client:

./collect_windowsclient_info.sh  <short-windows-client-hostname>

The Information gets logged into a file named -.log
Please send the data in encrypted format, as described in http://sdb.univention.de/1344
After this, the samba log level needs to be reduced again:

ucr set samba/debug/level=4; /etc/init.d/samba restart

Finally, the eventviewer logs should be collected from the Windows Client and the Samba logfiles from the %LOGONSERVER% too.

Mastodon