[Samba] NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC

shridhar shetty shridhar.sanjeeva at gmail.com
Wed Oct 12 20:56:08 UTC 2016


My apologies for the same. I shamelessly borrowed these settings from
existing working setup after mine was not working.

Changed smb.conf file.  But result is the same.
wbinfo -u and wbinfo -g works and gives me users but wbinfo -t doesnt.

[global]
workgroup = xxxx
netbios name = inmusbackup01
server string = FILE SERVER
realm = xxx.xxx.COM

#Winbindd configuration
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/bash
winbind refresh tickets = yes

#Setting Security level
security = ads
kerberos method = secrets and keytab
encrypt passwords = yes

idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config xxxx : backend  = ad
idmap config xxxx : range = 10000-999999

log file = /var/log/samba/samba.log
log level = 3
max log size = 500
load printers = no

On Wed, Oct 12, 2016 at 10:23 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Wed, 12 Oct 2016 21:38:23 +0530
> shridhar shetty via samba <samba at lists.samba.org> wrote:
>
> > Hi Team,
> >
> > I am facing problem with the trust relation which tends to break when
> > there is temporary network connection break between a AD and samba
> > server.
> >
> > Steps for reproducing the issue
> > 1. Join a machine to a domain with AD server: xxx.xxx.com
> > 2. Check the output of "wbinfo -t". Exits with a success.
> > 3. Now remove connection to AD server xxx.xxx.com i.e Unable to ping
> > AD etc. Here "wbinfo -t" exits with a failure.
> > 4. Then Bring back the connection to AD. "wbinfo -t" still exits with
> > a failure even when the AD server in online.
> > 5. Only option left is to rejoin the machine to a domain.
> >
> > Can you help us fix this. I tried too many things and am running out
> > of ideas. Would appreciate any kind of pointers. Thanks
> >
> > SAMBA version: Version 4.2.3
> > SAMBA server OS: Centos 7
> > SELINUX: disabled
> >
> > Below is my smb.conf file.
> > --------------------------------------------
> > [global]
> > security = user
> > interfaces = em1 lo
> > bind interfaces only = yes
> > kerberos method = secrets and keytab
> > workgroup = XXX
> > netbios name = inmusbackup01
> > server string = FILE SERVER
> > realm = XXX.XXX.COM
> >
> > #Winbindd configuration
> > winbind separator = +
> > winbind uid = 10000-20000
> > winbind gid = 10000-20000
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind use default domain = yes
> > template homedir = /home/%U
> > template shell = /bin/bash
> > winbind refresh tickets = yes
> >
> > #Setting Security level
> > security = ads
> > encrypt passwords = yes
> >
> > host msdfs = no
> > #This shows the user his home directory in File Server. Every logged
> > in user see his own home directory
> > idmap uid = 16777216-33554431
> > idmap gid = 16777216-33554431
> > server services = winbindd
> >
> > log file = /var/log/samba/samba.log
> > log level = 3
> > max log size = 500
> > load printers = no
> > cups options = raw
> > disable spoolss = yes
> > printcap name = /dev/null
> > --------------------------------------------
> >
> >
> > wbinfo -t output
> > ---
> > checking the trust secret for domain EIGI via RPC calls failed
> > error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b)
> > failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
> > Could not check secret
> > ---
>
> Can I suggest you go and read 'man smb.conf' as a starting point ?
> For instance 'winbind uid' is a synonym for 'idmap uid' and that 'idmap
> uid' is deprecated in favour of 'idmap config'. Also 'server services'
> is only meant to be on a DC.
>
> Or to put it another way, your smb.conf isn't anywhere near right ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba


More information about the samba mailing list