[Samba] Domain password server not available

Agostini, Cesar cesar.agostini at lmco.com
Fri Nov 2 14:17:53 GMT 2007 

Hello,

In our environment we've had SAMBA 3.0.21b joined to a Windows 2003
domain forest as a member server (configured with SECURIY = DOMAIN) for
couple of years with no problem. Just recently the SAMBA server seems to
be loosing connection to the Windows domain controllers. We are able to
re-establish the trust (re-join samba server to domain) successfully.
However after a few successful user connections the trust link
immediately breaks with the message below.

auth/auth_domain.c:domain_client_validate(345)
domain_client_validate: Domain password server not available.
auth/auth.c:check_ntlm_password(456)
check_ntlm_password: Authentication for user [abc] -> [abc] FAILED with
error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
smbd/server.c:exit_server(987)
Closing connections

There are numerous posts elsewhere but none really seem to apply to our
scenario. There have been no changes configuration changes on the SAMBA
side. Is it possible that an MS patch, Service Pack or perhaps a
security policy recently applied to a particular DC is causing this?
(Since we have multiple DCs for multiple domains in our environment we
have "password server = *" in the smb.conf). On the client side (Windows
XP SP1 clients) the Windows security policies (currently enforced by
means of GPOs) are these: 

- Domain Member: Digitally encrypt secure channel data (when possible)
set to Enabled 
- Domain Member: Digitally sign secure channel data (when possible) set
to Enabled
- Microsoft Network Client: Digitally sign communications (if server
agrees) set to Enabled
- Network Security: LAN Manager Authentication level set to "Send NTLMv2
response only

Interesting enough the above policies are NOT YET implemented or
enforced on the DCs which make me think we are looking at an issue
within the DCs themselves and not with the security policies applied on
the clients?

Should we point to a specific DC instead of all ("password server = *")
in order to pin-point this issue to a particular domain controller or is
not really the issue? Should we focus on some other specific smb.conf
setting to match the above security policies perhaps? Any feedback is
really appreciated.

More information about the samba mailing list