[Samba] Strange problem with Samba as AD member

[saddam abu ghaida]

the problem cause could be
 kerberos clock skew "kerberos server time vs. and machines time"




On Thu, May 28, 2009 at 11:12 AM, Masopust, Christian
<christian.masopust at siemens.com> wrote:
> Dear all,
>
> I've a real strange problem with one of my Samba-servers.  Most of the time a lot of users get the message
> about "trust relationship failure" when trying to access the share on this server.  Below you find part of a log
> where the user can access the share and a few seconds later it's no longer possible. "net ads testjoin" shows
> that join of the samba-server is still valid, removing and rejoining the server from AD didn't help.
>
> Some additional information:
> - samba-server and users facing this problem are located on a remote site (with its own DC)
> - access to another samba-server at the remote site for users facing the problem works at any time!
> - access to the share on the samba-server having the problems from my site (different DC) works at any time!
>
>
> [2009/05/28 10:49:57,  1, pid=31019, effective(0, 0), real(0, 0)] smbd/sesssetup.c:reply_spnego_kerberos(474)
>  Username WW300\SK16963C$ is invalid on this system
> [2009/05/28 10:49:57,  1, pid=31019, effective(0, 0), real(0, 0)] smbd/session.c:session_claim(112)
>  Re-using invalid record
> [2009/05/28 10:49:57,  1, pid=31019, effective(51043, 2700), real(0, 0)] smbd/service.c:make_connection_snum(1111)
>  sk16963c (::ffff:163.242.60.65) connect to service views_copl initially as user sk1u04w8 (uid=51043, gid=2700) (pid 31019)
> [2009/05/28 10:50:06,  1, pid=31019, effective(0, 0), real(0, 0)] smbd/service.c:close_cnum(1323)
>  sk16963c (::ffff:163.242.60.65) closed connection to service views_copl
> [2009/05/28 10:50:07,  0, pid=31024, effective(0, 0), real(0, 0)] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(3352)
>  cli_rpc_pipe_open_schannel: failed to get schannel session key from server SKZAAM100A.WW300.SIEMENS.NET for domain WW300.
> [2009/05/28 10:50:07,  0, pid=31024, effective(0, 0), real(0, 0)] auth/auth_domain.c:connect_to_domain_password_server(187)
>  connect_to_domain_password_server: unable to open the domain client session to machine SKZAAM100A.WW300.SIEMENS.NET. Error was : NT_STATUS_ACCESS_DENIED.
> [2009/05/28 10:50:07,  0, pid=31024, effective(0, 0), real(0, 0)] rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(3352)
>  cli_rpc_pipe_open_schannel: failed to get schannel session key from server SKZAAM100A.WW300.SIEMENS.NET for domain WW300.
> [2009/05/28 10:50:07,  0, pid=31024, effective(0, 0), real(0, 0)] auth/auth_domain.c:connect_to_domain_password_server(187)
>  connect_to_domain_password_server: unable to open the domain client session to machine SKZAAM100A.WW300.SIEMENS.NET. Error was : NT_STATUS_ACCESS_DENIED.
>
> any idea what can cause this problem?
>
> thanks a lot,
> christian
>
> p.s.: here's the global-section of my smb.conf
>
> # Global parameters
> [global]
>        workgroup = WW300
>        netbios name = SK16822C
>        server string = Samba %v CC-View-Server
>        security = ADS
>        realm = WW300.SIEMENS.NET
>        password server = *
>        client use spnego = yes
>        username map = /etc/samba/smbusers
>        smb ports = 139
>        log file = /var/log/samba/log.%m
>        debug pid = Yes
>        debug uid = Yes
>        name resolve order = host wins bcast
>        deadtime = 15
>        machine password timeout = 0
>        os level = 0
>        preferred master = No
>        local master = No
>        domain master = No
>        browse list = No
>        dns proxy = No
>        wins support = No
>        wins server = <ip-of wins-server>
>        ldap ssl = no
>        eventlog list = Security, Application, Syslog, Apache
>        utmp = Yes
>        idmap uid = 200000-230000
>        idmap gid = 50000-60000
>        template homedir = /home/%U
>        template shell = /bin/bash
>        winbind enum users = Yes
>        winbind enum groups = Yes
>        winbind use default domain = Yes
>        hide dot files = No
>        dos filetime resolution = Yes
>        fake directory create times = Yes
>        host msdfs = no
>        msdfs root = no
>        load printers = no
>        printing = bsd
>        browsable = no
>        restrict anonymous = 2
>        null passwords = no
>        guest account = nobody
>        kernel oplocks = No
>        oplocks =No
>        level2 oplocks = No
>
>
>
>
> ___________________________________________________________
>
>        Christian Masopust
>
>        SIEMENS AG  SIS SDE SVI CON IPB
>        Tel:   +43 (0) 5 1707 26866
>        E-mail: christian.masopust at siemens.com
>        Addr: Austria, 1210 Vienna, Siemensstraße 90-92, B. 33, Rm. 243
>
>        Leader of the RUGA <http://www.rational-ug.org/groups.php?groupid=119>
>
>        Firma: Siemens Aktiengesellschaft Österreich, Rechtsform: Aktiengesellschaft,
>        Sitz: Wien, Firmenbuchnummer: FN 60562 m,
>        Firmenbuchgericht: Handelsgericht Wien, DVR 0001708
>        ___________________________________________________________
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>