[Samba] access samba share getting NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE error VS. nullSessionPipes
johnlan at gmail.com
Thu Jun 12 13:47:39 MDT 2014
SAMBA as a member server in an AD domain
Access samba share from any client (e.g. windows 7) using AD domain
credential, getting below error message:
C:\tools>net use * \\sbdevsvr213.dev.ib.tor.scotiabank.com\fundmgr
System error 1789 has occurred.
The trust relationship between this workstation and the primary domain
Below is the log:
2014/06/12 11:59:58, 0]
connect_to_domain_password_server: unable to open the domain client session
to machine DCnameHere. Error was : NT_STATUS_ACCESS_DENIED.
[2014/06/12 11:59:58, 0] auth/auth_domain.c:288(domain_client_validate)
domain_client_validate: Domain password server not available.
[2014/06/12 11:59:58, 2] auth/auth.c:320(check_ntlm_password)
check_ntlm_password: Authentication for user [userName] -> [fmrun] FAILED
with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2014/06/12 11:59:58, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
This can be workaround by adding below values to nullSessionPipes on the DC:
Note: one of above pipes did the trick, not sure which one, likely lsarpc
The nullSessionPipes can be found at this place:
it can also be set via group policy:
Network access: Named Pipes that can be accessed anonymously
Now my questions is, how can we make this work without enabling
nullSessionPipes? We want to make the servers more secure by disabling
anonymous access to anything.
More information about the samba