[Samba] Strange problem with Samba as AD member

Masopust, Christian christian.masopust at siemens.com
Thu May 28 09:12:09 GMT 2009 

Dear all,
 
I've a real strange problem with one of my Samba-servers.  Most of the time a lot of users get the message
about "trust relationship failure" when trying to access the share on this server.  Below you find part of a log
where the user can access the share and a few seconds later it's no longer possible. "net ads testjoin" shows
that join of the samba-server is still valid, removing and rejoining the server from AD didn't help.
 
Some additional information:
- samba-server and users facing this problem are located on a remote site (with its own DC)
- access to another samba-server at the remote site for users facing the problem works at any time!
- access to the share on the samba-server having the problems from my site (different DC) works at any time!
 
 
[2009/05/28 10:49:57,  1, pid=31019, effective(0, 0), real(0, 0)] smbd/sesssetup.c:reply_spnego_kerberos(474)
  Username WW300\SK16963C$ is invalid on this system
[2009/05/28 10:49:57,  1, pid=31019, effective(0, 0), real(0, 0)] smbd/session.c:session_claim(112)
  Re-using invalid record
[2009/05/28 10:49:57,  1, pid=31019, effective(51043, 2700), real(0, 0)] smbd/service.c:make_connection_snum(1111)
  sk16963c (::ffff:163.242.60.65) connect to service views_copl initially as user sk1u04w8 (uid=51043, gid=2700) (pid 31019)
[2009/05/28 10:50:06,  1, pid=31019, effective(0, 0), real(0, 0)] smbd/service.c:close_cnum(1323)
  sk16963c (::ffff:163.242.60.65) closed connection to service views_copl
[2009/05/28 10:50:07,  0, pid=31024, effective(0, 0), real(0, 0)] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(3352)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server SKZAAM100A.WW300.SIEMENS.NET for domain WW300.
[2009/05/28 10:50:07,  0, pid=31024, effective(0, 0), real(0, 0)] auth/auth_domain.c:connect_to_domain_password_server(187)
  connect_to_domain_password_server: unable to open the domain client session to machine SKZAAM100A.WW300.SIEMENS.NET. Error was : NT_STATUS_ACCESS_DENIED.
[2009/05/28 10:50:07,  0, pid=31024, effective(0, 0), real(0, 0)] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(3352)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server SKZAAM100A.WW300.SIEMENS.NET for domain WW300.
[2009/05/28 10:50:07,  0, pid=31024, effective(0, 0), real(0, 0)] auth/auth_domain.c:connect_to_domain_password_server(187)
  connect_to_domain_password_server: unable to open the domain client session to machine SKZAAM100A.WW300.SIEMENS.NET. Error was : NT_STATUS_ACCESS_DENIED.

any idea what can cause this problem?
 
thanks a lot,
christian
 
p.s.: here's the global-section of my smb.conf
 
# Global parameters
[global]
        workgroup = WW300
        netbios name = SK16822C
        server string = Samba %v CC-View-Server
        security = ADS
        realm = WW300.SIEMENS.NET
        password server = *
        client use spnego = yes
        username map = /etc/samba/smbusers
        smb ports = 139
        log file = /var/log/samba/log.%m
        debug pid = Yes
        debug uid = Yes
        name resolve order = host wins bcast
        deadtime = 15
        machine password timeout = 0
        os level = 0
        preferred master = No
        local master = No
        domain master = No
        browse list = No
        dns proxy = No
        wins support = No
        wins server = <ip-of wins-server>
        ldap ssl = no
        eventlog list = Security, Application, Syslog, Apache
        utmp = Yes
        idmap uid = 200000-230000
        idmap gid = 50000-60000
        template homedir = /home/%U
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        hide dot files = No
        dos filetime resolution = Yes
        fake directory create times = Yes
        host msdfs = no
        msdfs root = no
        load printers = no
        printing = bsd
        browsable = no
        restrict anonymous = 2
        null passwords = no
        guest account = nobody
        kernel oplocks = No
        oplocks =No
        level2 oplocks = No
 
 
 

___________________________________________________________

        Christian Masopust

        SIEMENS AG  SIS SDE SVI CON IPB
        Tel:   +43 (0) 5 1707 26866
        E-mail: christian.masopust at siemens.com
        Addr: Austria, 1210 Vienna, Siemensstraße 90-92, B. 33, Rm. 243

        Leader of the RUGA <http://www.rational-ug.org/groups.php?groupid=119> 

        Firma: Siemens Aktiengesellschaft Österreich, Rechtsform: Aktiengesellschaft, 
        Sitz: Wien, Firmenbuchnummer: FN 60562 m, 
        Firmenbuchgericht: Handelsgericht Wien, DVR 0001708 
        ___________________________________________________________

More information about the samba mailing list