[Samba] access samba share getting NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE error VS. nullSessionPipes

[JL]

SAMBA as a member server in an AD domain
Access samba share from any client (e.g. windows 7) using AD domain
credential, getting below error message:

[ ----------

C:\tools>net use * \\sbdevsvr213.dev.ib.tor.scotiabank.com\fundmgr
<file:///\\sbdevsvr213.dev.ib.tor.scotiabank.com\fundmgr> *
 /user:domainName\un

System error 1789 has occurred.



The trust relationship between this workstation and the primary domain
failed.

------------- ]


Below is the log:


[ --------------

2014/06/12 11:59:58, 0]
auth/auth_domain.c:187(connect_to_domain_password_server)

connect_to_domain_password_server: unable to open the domain client session
to machine DCnameHere. Error was : NT_STATUS_ACCESS_DENIED.

[2014/06/12 11:59:58, 0] auth/auth_domain.c:288(domain_client_validate)

domain_client_validate: Domain password server not available.

[2014/06/12 11:59:58, 2] auth/auth.c:320(check_ntlm_password)

check_ntlm_password: Authentication for user [userName] -> [fmrun] FAILED
with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

[2014/06/12 11:59:58, 3] smbd/error.c:60(error_packet_set)

error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

------------- ]


This can be workaround by adding below values to nullSessionPipes on the DC:


[--------

netlogon

lsarpc

samr

browser

srvsvc

wkssvc

------ ]


Note: one of above pipes did the trick, not sure which one, likely lsarpc


The nullSessionPipes can be found at this place:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters

it can also be set via group policy:

Network access: Named Pipes that can be accessed anonymously


Now my questions is, how can we make this work without enabling
nullSessionPipes? We want to make the servers more secure by disabling
anonymous access to anything.


Thanks!