[Samba] Strange problem with Samba as AD member
saddam abu ghaida
saddam.abughaida at gmail.com
Fri Feb 12 03:18:15 MST 2010
the problem cause could be
kerberos clock skew "kerberos server time vs. and machines time"
On Thu, May 28, 2009 at 11:12 AM, Masopust, Christian
<christian.masopust at siemens.com> wrote:
> Dear all,
>
> I've a real strange problem with one of my Samba-servers. Most of the time a lot of users get the message
> about "trust relationship failure" when trying to access the share on this server. Below you find part of a log
> where the user can access the share and a few seconds later it's no longer possible. "net ads testjoin" shows
> that join of the samba-server is still valid, removing and rejoining the server from AD didn't help.
>
> Some additional information:
> - samba-server and users facing this problem are located on a remote site (with its own DC)
> - access to another samba-server at the remote site for users facing the problem works at any time!
> - access to the share on the samba-server having the problems from my site (different DC) works at any time!
>
>
> [2009/05/28 10:49:57, 1, pid=31019, effective(0, 0), real(0, 0)] smbd/sesssetup.c:reply_spnego_kerberos(474)
> Username WW300\SK16963C$ is invalid on this system
> [2009/05/28 10:49:57, 1, pid=31019, effective(0, 0), real(0, 0)] smbd/session.c:session_claim(112)
> Re-using invalid record
> [2009/05/28 10:49:57, 1, pid=31019, effective(51043, 2700), real(0, 0)] smbd/service.c:make_connection_snum(1111)
> sk16963c (::ffff:163.242.60.65) connect to service views_copl initially as user sk1u04w8 (uid=51043, gid=2700) (pid 31019)
> [2009/05/28 10:50:06, 1, pid=31019, effective(0, 0), real(0, 0)] smbd/service.c:close_cnum(1323)
> sk16963c (::ffff:163.242.60.65) closed connection to service views_copl
> [2009/05/28 10:50:07, 0, pid=31024, effective(0, 0), real(0, 0)] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(3352)
> cli_rpc_pipe_open_schannel: failed to get schannel session key from server SKZAAM100A.WW300.SIEMENS.NET for domain WW300.
> [2009/05/28 10:50:07, 0, pid=31024, effective(0, 0), real(0, 0)] auth/auth_domain.c:connect_to_domain_password_server(187)
> connect_to_domain_password_server: unable to open the domain client session to machine SKZAAM100A.WW300.SIEMENS.NET. Error was : NT_STATUS_ACCESS_DENIED.
> [2009/05/28 10:50:07, 0, pid=31024, effective(0, 0), real(0, 0)] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(3352)
> cli_rpc_pipe_open_schannel: failed to get schannel session key from server SKZAAM100A.WW300.SIEMENS.NET for domain WW300.
> [2009/05/28 10:50:07, 0, pid=31024, effective(0, 0), real(0, 0)] auth/auth_domain.c:connect_to_domain_password_server(187)
> connect_to_domain_password_server: unable to open the domain client session to machine SKZAAM100A.WW300.SIEMENS.NET. Error was : NT_STATUS_ACCESS_DENIED.
>
> any idea what can cause this problem?
>
> thanks a lot,
> christian
>
> p.s.: here's the global-section of my smb.conf
>
> # Global parameters
> [global]
> workgroup = WW300
> netbios name = SK16822C
> server string = Samba %v CC-View-Server
> security = ADS
> realm = WW300.SIEMENS.NET
> password server = *
> client use spnego = yes
> username map = /etc/samba/smbusers
> smb ports = 139
> log file = /var/log/samba/log.%m
> debug pid = Yes
> debug uid = Yes
> name resolve order = host wins bcast
> deadtime = 15
> machine password timeout = 0
> os level = 0
> preferred master = No
> local master = No
> domain master = No
> browse list = No
> dns proxy = No
> wins support = No
> wins server = <ip-of wins-server>
> ldap ssl = no
> eventlog list = Security, Application, Syslog, Apache
> utmp = Yes
> idmap uid = 200000-230000
> idmap gid = 50000-60000
> template homedir = /home/%U
> template shell = /bin/bash
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = Yes
> hide dot files = No
> dos filetime resolution = Yes
> fake directory create times = Yes
> host msdfs = no
> msdfs root = no
> load printers = no
> printing = bsd
> browsable = no
> restrict anonymous = 2
> null passwords = no
> guest account = nobody
> kernel oplocks = No
> oplocks =No
> level2 oplocks = No
>
>
>
>
> ___________________________________________________________
>
> Christian Masopust
>
> SIEMENS AG SIS SDE SVI CON IPB
> Tel: +43 (0) 5 1707 26866
> E-mail: christian.masopust at siemens.com
> Addr: Austria, 1210 Vienna, Siemensstraße 90-92, B. 33, Rm. 243
>
> Leader of the RUGA <http://www.rational-ug.org/groups.php?groupid=119>
>
> Firma: Siemens Aktiengesellschaft Österreich, Rechtsform: Aktiengesellschaft,
> Sitz: Wien, Firmenbuchnummer: FN 60562 m,
> Firmenbuchgericht: Handelsgericht Wien, DVR 0001708
> ___________________________________________________________
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list