[Samba] Samba AD member and connections from non-AD systems failing

Kent Nasveschuk knasveschuk at mbl.edu
Mon Jun 9 09:33:47 MDT 2014

I have a problem where non-AD systems can no longer connect to Samba shares. Samba 3.5.x servers are a members in AD, Windows 2008R2. This has worked flawlessly since we initiated it a couple years back. This happened to all 3 Samba servers after AD servers were rebooted. My thoughts are it was a Windows update that wrecked the system. Here is a typical setup: 

Winbind not used 
Samba version 3.5.10 on CentOS 6.x 
Group info comes from LDAP, nss_ldap. id <user name> returns group membership in LDAP. Groups have POSIX attributes. 

workgroup = MBLAD 
realm = MBLAD.MBL.EDU 
encrypt passwords = Yes 
socket options = TCP_NODELAY 
security = ADS 
password server = <fqdn AD server> 
directory mask = 02770 
server string = Samba 3.5.10 
log file = /var/log/samba/samba.%m 
log level = 3 
max log size = 50 
admin users = @domain_admins 
restrict anonymous = 2 
time server = Yes 
unix extensions = no 
logon script = 
interfaces = eth0 lo 
directory mask = 02770 
logon path = 
logon drive = L: 
logon home = 
domain master = no 
dns proxy = no 
wins support = yes 
local master = yes 
preferred master = yes 
name resolve order = wins bcast dns 
os level = 64 
printcap name = /etc/printcap 
load printers = no 
printing = cups 
show add printer wizard = no 
disable spoolss = yes 
kernel oplocks = no 
deadtime = 0 

typical share: 

valid users = "@ldap group" 

Error message in /var/log/samba/samba.<computer name> 

[2014/06/09 10:57:01, 0] auth/auth_domain.c:288(domain_client_validate) 
domain_client_validate: Domain password server not available. 
[2014/06/09 10:57:01, 5] auth/auth.c:274(check_ntlm_password) 
check_ntlm_password: winbind authentication for user [KN123456] FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE 
[2014/06/09 10:57:01, 2] auth/auth.c:320(check_ntlm_password) 
check_ntlm_password: Authentication for user [KN123456] -> [KN123456] FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE 
[2014/06/09 10:57:01, 5] auth/auth_util.c:2114(free_user_info) 
attempting to free (and zero) a user_info structure 
[2014/06/09 10:57:01, 10] auth/auth_util.c:2118(free_user_info) 
structure was created for KN123456 
[2014/06/09 10:57:01, 3] smbd/error.c:60(error_packet_set) 
error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE 
[2014/06/09 10:57:01, 5] lib/util.c:632(show_msg) 
[2014/06/09 10:57:01, 5] lib/util.c:642(show_msg) 

Using nslookup on the AD servers, I can do a forward and reverse lookup of name/address 

net ads info returns good info. I deleted the computer from AD and rejoined the domain, that worked fine but made no difference. 

Is there something that might need to be tweeked in AD security policy to get this working? Starting winbind will fix the login issue, but now it is trying to get group info from AD and not nss_ldap, all our group info is in LDAP (used by other systems). Any help would be appreciated. 

Kent L. Nasveschuk 
Systems Administrator 

Marine Biological Laboratory 
7 MBL St. 
Woods Hole, MA 02543 

More information about the samba mailing list