[Samba] RESOLVED: Need urgent help. trust relationship problem during authentication

Kathy banshee135 at gmail.com
Thu Mar 24 09:45:21 MDT 2011


I am not sure if this first post made it to the list, but I wanted to
post the resolution, which was very simple and something I had
documented but buried and I had forgotten about it.

All these problems went away when I joined the domain using Samba's
version of "net", not Redhat's.  If you use Redhat's version, it looks
like it joins the domain but it really doesn't work correctly.

Kathy

On Wed, Mar 23, 2011 at 8:05 PM, Kathy <banshee135 at gmail.com> wrote:
> We have an urgent problem that we've been spending hours on to no avail.
>
> We have a RHEL 5.2 server that is running Samba 3.2.8 and was set up
> for domain authentication against our PDC.  It was running fine until
> I decided to try and change it to "ads" authentication.  I then
> realized that we needed to keep it on "domain" because of the version
> of Clearcase we have on the machine, so I went to change it back and
> ever since then, users can't authenticate.  Our PDC is running
> Microsoft 2008 R2.
>
> The way I have changed back and forth is this:
>
> 1.  Shut down Samba
> 2.  Remove the Samba server (Flint) from the domain by going onto the
> DC and removing it.
> 3.  Run:  kinit Administrator at OURDOMAIN.COM
> 4.  Run:  net rpc join -U Administrator
> 5.  Start Samba again
>
> Whenever I do that, it appears to join the domain okay, but if you try
> to connect to the Samba server via \\flint you get the following
> pop-up from a Windows XP box:
>
> The trust relationship between this workstation and the primary domain failed.
>
> In the client logs we see:
> check_ntlm_password:  Authentication for user [banshee] -> [banshee]
> FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
>
> I have tried this:
> net rpc changetrustpw
>
> Did not help.
>
> It looks like it joined the domain okay, but for some reason
> authentication is not happening.
> [root at flint samba]# net rpc testjoin
> Join to 'OURDOMAIN' is OK
>
> Below are some outputs from testparam and what our krb.conf file looks like.
>
> If anyone has any ideas, please let me know.  This is causing an
> entire group to be down while this isn't working.
>
> Thanks!
>
> Kathy
>
> [root at flint samba]# testparm -s
> Load smb config files from /etc/samba/smb.conf
> Loaded services file OK.
> Server role: ROLE_DOMAIN_MEMBER
> [global]
>        workgroup = OURDOMAIN
>        realm = OURDOMAIN.COM
>        server string = Flint Samba Server
>        security = DOMAIN
>        password server = togiak.ourdomain.com
>        username map = /etc/samba/username.map
>        log level = 2
>        log file = /var/log/samba/log.%m
>        max log size = 100000
>        deadtime = 15
>        dns proxy = No
>        kernel oplocks = No
>        lock directory = /var/log/samba/locks
>        host msdfs = No
>        invalid users = @root, @wheel, @bin, @sys, @admin
>        create mask = 0775
>        directory mask = 0775
>        case sensitive = No
>        map archive = No
>        oplocks = No
>        level2 oplocks = No
>        dont descend = /proc,/dev
>        fake directory create times = Yes
>
>  /etc/krv5.conf looks like this:
>
> [root at flint samba]# more /etc/krb5.conf
> [logging]
>  default = FILE:/var/log/krb5libs.log
>  kdc = FILE:/var/log/krb5kdc.log
>  admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
>  default_realm= OURDOMAIN.COM
>  dns_lookup_realm = true
>  dns_lookup_kdc = true
>
> [realms]
>  OURDOMAIN.COM= {
>  kdc= togiak.ourdomain.com
>  admin_server= togiak.ourdomain.com
>  default_domain= ourdomain.com
>  }
>
> [domain_realm]
>  .togiak.ourdomain.com = OURDOMAIN.COM
>  ourdomain.com = OURDOMAIN.COM
>


More information about the samba mailing list