[Samba] Need urgent help. trust relationship problem during authentication

Wed Mar 23 21:05:16 MDT 2011

We have an urgent problem that we've been spending hours on to no avail.

We have a RHEL 5.2 server that is running Samba 3.2.8 and was set up
for domain authentication against our PDC.  It was running fine until
I decided to try and change it to "ads" authentication.  I then
realized that we needed to keep it on "domain" because of the version
of Clearcase we have on the machine, so I went to change it back and
ever since then, users can't authenticate.  Our PDC is running
Microsoft 2008 R2.

The way I have changed back and forth is this:

1.  Shut down Samba
2.  Remove the Samba server (Flint) from the domain by going onto the
DC and removing it.
3.  Run:  kinit Administrator at OURDOMAIN.COM
4.  Run:  net rpc join -U Administrator
5.  Start Samba again

Whenever I do that, it appears to join the domain okay, but if you try
to connect to the Samba server via \\flint you get the following
pop-up from a Windows XP box:

The trust relationship between this workstation and the primary domain failed.

In the client logs we see:
check_ntlm_password:  Authentication for user [banshee] -> [banshee]
FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

I have tried this:
net rpc changetrustpw

Did not help.

It looks like it joined the domain okay, but for some reason
authentication is not happening.
[root at flint samba]# net rpc testjoin
Join to 'OURDOMAIN' is OK

Below are some outputs from testparam and what our krb.conf file looks like.

If anyone has any ideas, please let me know.  This is causing an
entire group to be down while this isn't working.

Thanks!

Kathy

[root at flint samba]# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
[global]
        workgroup = OURDOMAIN
        realm = OURDOMAIN.COM
        server string = Flint Samba Server
        security = DOMAIN
        password server = togiak.ourdomain.com
        username map = /etc/samba/username.map
        log level = 2
        log file = /var/log/samba/log.%m
        max log size = 100000
        deadtime = 15
        dns proxy = No
        kernel oplocks = No
        lock directory = /var/log/samba/locks
        host msdfs = No
        invalid users = @root, @wheel, @bin, @sys, @admin
        create mask = 0775
        directory mask = 0775
        case sensitive = No
        map archive = No
        oplocks = No
        level2 oplocks = No
        dont descend = /proc,/dev
        fake directory create times = Yes

 /etc/krv5.conf looks like this:

[root at flint samba]# more /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm= OURDOMAIN.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true

[realms]
 OURDOMAIN.COM= {
  kdc= togiak.ourdomain.com
  admin_server= togiak.ourdomain.com
  default_domain= ourdomain.com
 }

[domain_realm]
 .togiak.ourdomain.com = OURDOMAIN.COM
 ourdomain.com = OURDOMAIN.COM