[Samba] Samba AD member and connections from non-AD systems failing

David Bear dwbear75 at gmail.com
Mon Jun 9 16:43:31 MDT 2014 

The last line in the debug says it all -- your samba servers lost their
trust account with the AD. Options? Well, I don't know if there is an
elegant way to tell AD to 'trust' your samba server again -- but you can
always remove them and rejoin them to the domain. That will rebuild the
trust.



On Mon, Jun 9, 2014 at 8:33 AM, Kent Nasveschuk <knasveschuk at mbl.edu> wrote:

> Hello,
> I have a problem where non-AD systems can no longer connect to Samba
> shares. Samba 3.5.x servers are a members in AD, Windows 2008R2. This has
> worked flawlessly since we initiated it a couple years back. This happened
> to all 3 Samba servers after AD servers were rebooted. My thoughts are it
> was a Windows update that wrecked the system. Here is a typical setup:
>
> Winbind not used
> Samba version 3.5.10 on CentOS 6.x
> Group info comes from LDAP, nss_ldap. id <user name> returns group
> membership in LDAP. Groups have POSIX attributes.
>
> [global]
> workgroup = MBLAD
> realm = MBLAD.MBL.EDU
> encrypt passwords = Yes
> socket options = TCP_NODELAY
> security = ADS
> password server = <fqdn AD server>
> directory mask = 02770
> server string = Samba 3.5.10
> log file = /var/log/samba/samba.%m
> log level = 3
> max log size = 50
> admin users = @domain_admins
> restrict anonymous = 2
> time server = Yes
> unix extensions = no
> logon script =
> interfaces = eth0 lo
> directory mask = 02770
> logon path =
> logon drive = L:
> logon home =
> domain master = no
> dns proxy = no
> wins support = yes
> local master = yes
> preferred master = yes
> name resolve order = wins bcast dns
> os level = 64
> printcap name = /etc/printcap
> load printers = no
> printing = cups
> show add printer wizard = no
> disable spoolss = yes
> kernel oplocks = no
> deadtime = 0
>
> typical share:
> ...
> [SOME SHARE]
> ...
>
> valid users = "@ldap group"
> ...
>
>
> Error message in /var/log/samba/samba.<computer name>
>
> [2014/06/09 10:57:01, 0] auth/auth_domain.c:288(domain_client_validate)
> domain_client_validate: Domain password server not available.
> [2014/06/09 10:57:01, 5] auth/auth.c:274(check_ntlm_password)
> check_ntlm_password: winbind authentication for user [KN123456] FAILED
> with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
> [2014/06/09 10:57:01, 2] auth/auth.c:320(check_ntlm_password)
> check_ntlm_password: Authentication for user [KN123456] -> [KN123456]
> FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
> [2014/06/09 10:57:01, 5] auth/auth_util.c:2114(free_user_info)
> attempting to free (and zero) a user_info structure
> [2014/06/09 10:57:01, 10] auth/auth_util.c:2118(free_user_info)
> structure was created for KN123456
> [2014/06/09 10:57:01, 3] smbd/error.c:60(error_packet_set)
> error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
> NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
> [2014/06/09 10:57:01, 5] lib/util.c:632(show_msg)
> [2014/06/09 10:57:01, 5] lib/util.c:642(show_msg)
>
> Using nslookup on the AD servers, I can do a forward and reverse lookup of
> name/address
>
> net ads info returns good info. I deleted the computer from AD and
> rejoined the domain, that worked fine but made no difference.
>
> Is there something that might need to be tweeked in AD security policy to
> get this working? Starting winbind will fix the login issue, but now it is
> trying to get group info from AD and not nss_ldap, all our group info is in
> LDAP (used by other systems). Any help would be appreciated.
>
> Kent L. Nasveschuk
> Systems Administrator
>
> ----------------------------
> Marine Biological Laboratory
> 7 MBL St.
> Woods Hole, MA 02543
> http://www.mbl.edu
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



-- 
David Bear
mobile: (602) 903-6476

More information about the samba mailing list