[Samba] NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC

Wed Oct 12 16:53:39 UTC 2016

On Wed, 12 Oct 2016 21:38:23 +0530
shridhar shetty via samba <samba at lists.samba.org> wrote:

> Hi Team,
> 
> I am facing problem with the trust relation which tends to break when
> there is temporary network connection break between a AD and samba
> server.
> 
> Steps for reproducing the issue
> 1. Join a machine to a domain with AD server: xxx.xxx.com
> 2. Check the output of "wbinfo -t". Exits with a success.
> 3. Now remove connection to AD server xxx.xxx.com i.e Unable to ping
> AD etc. Here "wbinfo -t" exits with a failure.
> 4. Then Bring back the connection to AD. "wbinfo -t" still exits with
> a failure even when the AD server in online.
> 5. Only option left is to rejoin the machine to a domain.
> 
> Can you help us fix this. I tried too many things and am running out
> of ideas. Would appreciate any kind of pointers. Thanks
> 
> SAMBA version: Version 4.2.3
> SAMBA server OS: Centos 7
> SELINUX: disabled
> 
> Below is my smb.conf file.
> --------------------------------------------
> [global]
> security = user
> interfaces = em1 lo
> bind interfaces only = yes
> kerberos method = secrets and keytab
> workgroup = XXX
> netbios name = inmusbackup01
> server string = FILE SERVER
> realm = XXX.XXX.COM
> 
> #Winbindd configuration
> winbind separator = +
> winbind uid = 10000-20000
> winbind gid = 10000-20000
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> template homedir = /home/%U
> template shell = /bin/bash
> winbind refresh tickets = yes
> 
> #Setting Security level
> security = ads
> encrypt passwords = yes
> 
> host msdfs = no
> #This shows the user his home directory in File Server. Every logged
> in user see his own home directory
> idmap uid = 16777216-33554431
> idmap gid = 16777216-33554431
> server services = winbindd
> 
> log file = /var/log/samba/samba.log
> log level = 3
> max log size = 500
> load printers = no
> cups options = raw
> disable spoolss = yes
> printcap name = /dev/null
> --------------------------------------------
> 
> 
> wbinfo -t output
> ---
> checking the trust secret for domain EIGI via RPC calls failed
> error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b)
> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
> Could not check secret
> ---

Can I suggest you go and read 'man smb.conf' as a starting point ?
For instance 'winbind uid' is a synonym for 'idmap uid' and that 'idmap
uid' is deprecated in favour of 'idmap config'. Also 'server services'
is only meant to be on a DC.

Or to put it another way, your smb.conf isn't anywhere near right ;-)

Rowland