[Samba] access samba share getting NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE error VS. nullSessionPipes
JL
johnlan at gmail.com
Thu Jun 12 13:47:39 MDT 2014
SAMBA as a member server in an AD domain
Access samba share from any client (e.g. windows 7) using AD domain
credential, getting below error message:
[ ----------
C:\tools>net use * \\sbdevsvr213.dev.ib.tor.scotiabank.com\fundmgr
<file:///\\sbdevsvr213.dev.ib.tor.scotiabank.com\fundmgr> *
/user:domainName\un
System error 1789 has occurred.
The trust relationship between this workstation and the primary domain
failed.
------------- ]
Below is the log:
[ --------------
2014/06/12 11:59:58, 0]
auth/auth_domain.c:187(connect_to_domain_password_server)
connect_to_domain_password_server: unable to open the domain client session
to machine DCnameHere. Error was : NT_STATUS_ACCESS_DENIED.
[2014/06/12 11:59:58, 0] auth/auth_domain.c:288(domain_client_validate)
domain_client_validate: Domain password server not available.
[2014/06/12 11:59:58, 2] auth/auth.c:320(check_ntlm_password)
check_ntlm_password: Authentication for user [userName] -> [fmrun] FAILED
with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2014/06/12 11:59:58, 3] smbd/error.c:60(error_packet_set)
error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX)
NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
------------- ]
This can be workaround by adding below values to nullSessionPipes on the DC:
[--------
netlogon
lsarpc
samr
browser
srvsvc
wkssvc
------ ]
Note: one of above pipes did the trick, not sure which one, likely lsarpc
The nullSessionPipes can be found at this place:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters
it can also be set via group policy:
Network access: Named Pipes that can be accessed anonymously
Now my questions is, how can we make this work without enabling
nullSessionPipes? We want to make the servers more secure by disabling
anonymous access to anything.
Thanks!
More information about the samba
mailing list