[Samba] Domain trust between Samba 3.5.9 and Windows 2008 Active Directory crashes lsass.exe which makes AD Domain Controller reboot

Tim Wright Tim.W at gordian.co.uk
Wed Jul 27 10:26:10 MDT 2011


Trying to set up a one way trust between a 2008 Active Directory domain 
and a Samba 3.5.9 server which is configured as a PDC. 

There is already an existing trust between AD and an NT4 domain so AD has 
been configured to support NTLM authentication (see below for full 

With no domain trust, using smbclient either anonymously or with a valid 
user on the DC (e.g. Administrator) works ok,. 

When a domain trust is created as follows: 

On samba server 
net rpc trustdom add AD <password> 
pdbedit -Lw ad\$ shows that the trust account is set up correctly (i.e. I 
appearing in the square brackets ) 
net rpc trustdom list shows the domain trust is ok 

On AD DC: 
Add new trust for the Samba domain in the normal way using the trust 
password above 
This validates ok. 

Now smbclient -U% still ok but smbclient -UAdministrator causes the DC to 
When it comes back up, the following appears in the Application Eventlog: 

Log Name:      Application 
Source:        Application Error 
Date:          27/07/2011 16:25:07 
Event ID:      1000 
Task Category: (100) 
Level:         Error 
Keywords:      Classic 
User:          N/A 
Computer:      LIVEDC.ad.gordian.co.uk 
Faulting application lsass.exe, version 6.0.6002.18005, time stamp 
0x49e01c84, faulting module ntdll.dll, version 6.0.6002.18005, time stamp 
0x49e02d47, exception code 0x80000003, fault offset 0x000348d8, process id 
0x244, application start time 0x01cc41619f198970. 
Event Xml: 
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
    <Provider Name="Application Error" /> 
    <EventID Qualifiers="0">1000</EventID> 
    <TimeCreated SystemTime="2011-07-27T15:25:07.000Z" /> 
    <Security /> 

followed by 

Log Name:      Application 
Source:        Microsoft-Windows-Wininit 
Date:          27/07/2011 16:25:20 
Event ID:      1015 
Task Category: None 
Level:         Error 
Keywords:      Classic 
User:          N/A 
Computer:      LIVEDC.ad.gordian.co.uk 
A critical system process, C:\Windows\system32\lsass.exe, failed with 
status code 255.  The machine must now be restarted. 
Event Xml: 
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
    <Provider Name="Microsoft-Windows-Wininit" 
Guid="{206f6dea-d3c5-4d10-bc72-989f03c8b84b}" EventSourceName="Wininit" /> 

    <EventID Qualifiers="49152">1015</EventID> 
    <TimeCreated SystemTime="2011-07-27T15:25:20.000Z" /> 
    <Correlation /> 
    <Execution ProcessID="0" ThreadID="0" /> 
    <Security /> 

Here's the smb.conf with comments stripped: 


   workgroup = CTGDOMAIN 

   server string = Samba 3.5.9 Server PDC 

   security = user 

   hosts allow = 192.168.56. 192.168.153. 127. 

   load printers = no 

   log file = /opt/samba/var/log.%m 

   max log size = 50 

    interfaces = e1000g0 lo* 
    bind interfaces only = yes 
   local master = yes 

   domain master = yes 

   preferred master = yes 

   domain logons = yes 

   logon path = \\%L\Profiles\%U 

   wins support = yes 
   name resolve order = lmhosts wins hosts broadcast 

   dns proxy = no 

  add user script = /usr/sbin/useradd %u 
  add group script = /usr/sbin/groupadd %g 
  add machine script = /usr/sbin/useradd -g machines -c Machine -d 
/dev/null -s /bin/false %u 
  delete user script = /usr/sbin/userdel %u 
  delete user from group script = /usr/sbin/userdel %u %g 
  delete group script = /usr/sbin/groupdel %g 

   comment = Home Directories 
   browseable = no 
   writable = yes 

   comment = Network Logon Service 
   path = /opt/samba/lib/netlogon 
   guest ok = yes 
   writable = no 
   share modes = no 

    path = /opt/samba/profiles 
    browseable = no 
    guest ok = yes 

Has anyone else seen this issue or have any ideas about the best way to 



P.S. AD policy configuration 

  Network access: Allow anonymous SID/Name translation  ENABLED 
  Network access: Do not allow anonymous enumeration of SAM accounts    
  Network access: Do not allow anonymous enumeration of SAM accounts and 
shares          DISABLED 
  Network access: Let Everyone permissions apply to anonymous users    
  Network access: Named pipes can be accessed anonymously  ENABLED 
  Network access: Restrict anonymous access to Named Pipes and shares    
  Network security: LAN Manager authentication level  "Send NTLM response 
  Microsoft network client: Digitally sign communications (always)      
  Microsoft network client: Digitally sign communications (if server 
agrees)                    ENABLED 
  Microsoft network server: Digitally sign communications (always)    
  Microsoft network server: Digitally sign communications (if client 
agrees)                    ENABLED 
  Domain member: Digitally encrypt or sign secure channel data (always)    
  Domain member: Digitally encrypt secure channel data (when it is 
possible)                    ENABLED 
  Domain member: Digitally sign secure channel data (when it is possible)  
  Domain member: Require strong (Windows 2000 or later) session key     

Also have enabled the "Allow cryptography algorithms compatible with 
Windows NT 4.0" policy 
For further information on Gordian Knot Limited ("Gordian") and/or Theta Corporation ("Theta") please visit our website at http://www.gordian.co.uk or call +44 20 7290 9901. 

The contents of this email and any attachments are confidential and may also be privileged.  If you are not the intended recipient of this e-mail you may not copy, forward, disclose or otherwise use any part of it or any attachment in any way or in any form whatsoever.  If you have received this message in error, please notify the sender immediately by telephone or return e-mail and delete it and any attachment(s) from your system. 

Gordian is a company registered in England with company number 2853833 at the following address Lansdowne House, Berkeley Square, London, W1J 6AB, England. 

In accordance with the FSA's Rules Theta is Gordian's client.  Gordian does not have a client relationship with any other person and does not owe regulatory duties to any other person under the Conduct of Business Rules or other parts of the FSA's Rules.  Gordian is not responsible to you for providing the same protections as those afforded to Theta, or for providing advice in relation to investing in Theta.

More information about the samba mailing list