[Samba] Windows 7 login fails after server crash

Gaiseric Vandal gaiseric.vandal at gmail.com
Sun Nov 6 16:44:43 UTC 2016

Upgrading domain controllers to Samba 4.4.7 seems to fix the "trust 
relationship" with the Windows clients.

But it seems to have broken trust issues with some of the Samba 3.6.25 
member servers.

        root at member1:~# net rpc testjoin
        Connection failed: NT_STATUS_ACCESS_DENIED
        Join to domain 'MYDOMAIN' is not valid: NT_STATUS_ACCESS_DENIED

        root at member1:~# testparm -v | grep sign
        Server role: ROLE_DOMAIN_MEMBER
                 client signing = required
                 client ipc signing = required
                 server signing = No
        root at member1:~#

Updating smb.conf with

         client signing = auto
         client ipc signing = auto

seems to have partially resolved the issue.

        root at member1:~# net rpc testjoin
        Join to 'MYDOMAIN' is OK
        root at member1:~#

But I was still unable to access shares on the member server windows 
windows.  (user authentication seems to fail.)

I reverted by samba DC's back to unpatched 3.6.25 (and restored the 
/etc/samba/private and /var/samba/locks directories from the night before.)

On 11/03/16 16:18, Gaiseric Vandal wrote:
> This morning due a a power outage our samba servers crashed.  All 
> looked OK at reboot (at first) -  users  who had stayed logged in 
> could still access shares.
> However users who tried to log back into the network got the "The 
> trust relationship between this workstation and the primary domain 
> failed" message.  Removing a machine from domain and rejoining did not 
> help.
> Servers are a classic domain, samba 3.6.25 on Solaris 11 with Solaris 
> patch idr2408 to install  BADLOCK fixes (in order to fix compatibility 
> with  linux samba 4.x member servers and as well as to fix a trust 
> issue with a Windows 2008 AD domain.)     I had applied this patch 
> several weeks ago and restarted samba services but not restarted the 
> server.      Removing the patch  from the domain controllers and 
> primary file server seemed to fix the problem.
> As part to patch, I also added  "server signing = No"  to smb.conf 
> since the new default seemed to be to enable it.
> Guessing some schannel thing ?
> I didn't see anything definitive in any logs.
> I may compile samba 4.4.x in case samba 3.x has some other 
> compatibility issues I don't know about.
> Appreciate any insight or suggestions.
> Thanks

More information about the samba mailing list