[Samba] Samba rejecting authentication from Windows machines

[Kothe Patrik]

Hi everybody.

First a short overview of our setup:

We have 2 Samba DCs in Domain 1
We use a Windows 10 Pro VM for the RSAT Tools which we access via RDP
We have 1 Windows Server 2012 DC for Domain 2
Between Domain 1 and 2 is a Trust for cross-domain file share access

Since the last reboot of our samba DCs they suddenly started to block login attempts on the RSAT-VM and also the Trust to the other domain is broken.

When trying to log in to the RSAT-VM the primary DC logs this:

Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: starting transaction on zone Domain1.tld
Jul 20 14:32:10 C-103-dc01 named[2076966]: client @0x7fc5000c40d0 172.16.2.105#61179: update 'Domain1.tld/IN' denied
Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: cancelling transaction on zone Domain1.tld
Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: starting transaction on zone Domain1.tld
Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: disallowing update of signer=RSAT-VM\$\@DOMAIN1.TLD name=RSAT-VM.Domain1.tld type=AAAA error=insufficient access rights
Jul 20 14:32:10 C-103-dc01 named[2076966]: client @0x7fc5000c40d0 172.16.2.105#62717/key RSAT-VM\$\@DOMAIN1.TLD: updating zone 'Domain1.tld/NONE': update failed: rejected by secure update (REFUSED)
Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: cancelling transaction on zone Domain1.tld


Also, if I run the Trust-test on the Windows DC of Domain 2, I get the following error:
“The secure channel (SC) verification on Active Directory Domain Controller \\dc01.domain1.tld of domain1.tld to domain domain2.tld failed with error: Access is denied.”

Does anybody have an idea, what we can do about this?

Many thanks in advance
Patrik Kothe