[Samba] SAMBA4 - Trusted relationship lost every Weeks

Julien TEHERY julien.tehery at openevents.fr
Mon Jul 17 08:12:24 UTC 2017 

Hello,


We recently put in place a trust relationship between a Win2008 R2 AD 
server (Domain A) and a samba PDC (sernet-samba 3.5.18-28) : DOMAIN B

This works as expected and the bi directional relationship is stable. 
Several services are using this trusted relationship without any problem.


We recently added a fresh new samba4 file server ( Debian 8.7with samba 
4.2.14+dfsg-0+deb8u5) , which is joined to the AD domain (DOMAIN A). 
This server is actually able to serve files for users from both domains 
(A & B), as we can set up ACLs for every domain on it.

The only trouble we encoutner is that every monday morning, it seems 
that this samba4 server looses the approbation from AD server.

Using smbclient we encounter this error:


[SambaServer]:~#wbinfo -a "DOMAIN_B+myuser"
Enter DOMAIN_B+myuser's password:
plaintext password authentication failed
Could not authenticate user DOMAIN_B+myuser with plaintext password
Enter DOMAIN_B+myuser's password:
challenge/response password authentication failed
error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c)
error message was: Trusted domain failure
Could not authenticate user DOMAIN_B+myuser with challenge/response

To make it work again, we have to disjoin/rejoin the server to the AD 
domain, restart winbind and then samba.

Putting debul loglevel on the samb4server itself, we don't see anything 
particular in the logs. The fact is that this happens every monday morning.

Is there anything particular I should know on Win2008 Domain side 
(something regarding the sambaserver machine account?)


FYI, relationship between the 2 domains has been setup with a dedicated 
account which has the "I" flag (InterDomain trust) on DOMAIN B.

My guess is that relationship is fine, but samba4 server on Domain A 
looses periodically is mind for a reason I don't know.


If any of you have an idea or experienced something similar, please let 
me know! :)


-- 
Regards,

Julien Téhéry - Ingénieur Systèmes et Réseaux

More information about the samba mailing list