[Samba] AD domain membership problem

Stephen Roylance sdr at sroylance.com
Sat Jul 7 22:08:38 GMT 2007


Hello, and thanks in advance for any assistance.
I have a linux machine that I'm trying to join to a windows 2003 sp1 
active directory.  The specifics are:
RHEL5, samba version samba-3.0.23c-2.el5.2.0.2
a firewall between this server and the rest of the world (which includes 
the DCs), ports are open for kerberos and CIFS inbound and kerberos, 
CIFS, NTP and UDP oubtound.
this machine (server.sub.domain.org) is in a subdomain of the AD domain 
(domain.org)

I am able to run net ads join -U me createcomputer="/myOU/" and it seems 
to succeed.  net ads testjoin, net ads info, etc all seem to work 
correctly.  When I try to connect remotely or use smbclient locally with 
-U me -W domain.org it fails with
"session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE"
and I see errors like:
[2007/07/07 17:50:54, 0] 
rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(2673)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from 
server DC1.DOMAIN.ORG for domain DOMAIN.
[2007/07/07 17:50:54, 0] 
auth/auth_domain.c:connect_to_domain_password_server(112)
  connect_to_domain_password_server: unable to open the domain client 
session to machine DC1.DOMAIN.ORG. Error was : NT_STATUS_ACCESS_DENIED.
[2007/07/07 17:50:54, 0] auth/auth_domain.c:domain_client_validate(206)
  domain_client_validate: Domain password server not available.

running net ads changetrustpw hangs and never returns.
I've tried dropping and re-joining the machine to the domain many times, 
every now and then it fails, but usually succeeds, but still does not 
allow connections using domain credentials.

Any suggestions appreciated
-Steve


More information about the samba mailing list