[Samba] Samba AD member and connections from non-AD systems failing
Kent Nasveschuk
knasveschuk at mbl.edu
Mon Jun 9 09:33:47 MDT 2014
Hello,
I have a problem where non-AD systems can no longer connect to Samba shares. Samba 3.5.x servers are a members in AD, Windows 2008R2. This has worked flawlessly since we initiated it a couple years back. This happened to all 3 Samba servers after AD servers were rebooted. My thoughts are it was a Windows update that wrecked the system. Here is a typical setup:
Winbind not used
Samba version 3.5.10 on CentOS 6.x
Group info comes from LDAP, nss_ldap. id <user name> returns group membership in LDAP. Groups have POSIX attributes.
[global]
workgroup = MBLAD
realm = MBLAD.MBL.EDU
encrypt passwords = Yes
socket options = TCP_NODELAY
security = ADS
password server = <fqdn AD server>
directory mask = 02770
server string = Samba 3.5.10
log file = /var/log/samba/samba.%m
log level = 3
max log size = 50
admin users = @domain_admins
restrict anonymous = 2
time server = Yes
unix extensions = no
logon script =
interfaces = eth0 lo
directory mask = 02770
logon path =
logon drive = L:
logon home =
domain master = no
dns proxy = no
wins support = yes
local master = yes
preferred master = yes
name resolve order = wins bcast dns
os level = 64
printcap name = /etc/printcap
load printers = no
printing = cups
show add printer wizard = no
disable spoolss = yes
kernel oplocks = no
deadtime = 0
typical share:
...
[SOME SHARE]
...
valid users = "@ldap group"
...
Error message in /var/log/samba/samba.<computer name>
[2014/06/09 10:57:01, 0] auth/auth_domain.c:288(domain_client_validate)
domain_client_validate: Domain password server not available.
[2014/06/09 10:57:01, 5] auth/auth.c:274(check_ntlm_password)
check_ntlm_password: winbind authentication for user [KN123456] FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2014/06/09 10:57:01, 2] auth/auth.c:320(check_ntlm_password)
check_ntlm_password: Authentication for user [KN123456] -> [KN123456] FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2014/06/09 10:57:01, 5] auth/auth_util.c:2114(free_user_info)
attempting to free (and zero) a user_info structure
[2014/06/09 10:57:01, 10] auth/auth_util.c:2118(free_user_info)
structure was created for KN123456
[2014/06/09 10:57:01, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2014/06/09 10:57:01, 5] lib/util.c:632(show_msg)
[2014/06/09 10:57:01, 5] lib/util.c:642(show_msg)
Using nslookup on the AD servers, I can do a forward and reverse lookup of name/address
net ads info returns good info. I deleted the computer from AD and rejoined the domain, that worked fine but made no difference.
Is there something that might need to be tweeked in AD security policy to get this working? Starting winbind will fix the login issue, but now it is trying to get group info from AD and not nss_ldap, all our group info is in LDAP (used by other systems). Any help would be appreciated.
Kent L. Nasveschuk
Systems Administrator
----------------------------
Marine Biological Laboratory
7 MBL St.
Woods Hole, MA 02543
http://www.mbl.edu
More information about the samba
mailing list