[Samba] Samba rejecting authentication from Windows machines

Rowland Penny rpenny at samba.org
Thu Jul 20 13:42:23 UTC 2023 


On 20/07/2023 14:28, Kothe Patrik via samba wrote:
> Hi everybody.
> 
> First a short overview of our setup:
> 
> We have 2 Samba DCs in Domain 1
> We use a Windows 10 Pro VM for the RSAT Tools which we access via RDP
> We have 1 Windows Server 2012 DC for Domain 2
> Between Domain 1 and 2 is a Trust for cross-domain file share access
> 
> Since the last reboot of our samba DCs they suddenly started to block login attempts on the RSAT-VM and also the Trust to the other domain is broken.
> 
> When trying to log in to the RSAT-VM the primary DC logs this:
> 
> Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: starting transaction on zone Domain1.tld
> Jul 20 14:32:10 C-103-dc01 named[2076966]: client @0x7fc5000c40d0 172.16.2.105#61179: update 'Domain1.tld/IN' denied
> Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: cancelling transaction on zone Domain1.tld
> Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: starting transaction on zone Domain1.tld
> Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: disallowing update of signer=RSAT-VM\$\@DOMAIN1.TLD name=RSAT-VM.Domain1.tld type=AAAA error=insufficient access rights
> Jul 20 14:32:10 C-103-dc01 named[2076966]: client @0x7fc5000c40d0 172.16.2.105#62717/key RSAT-VM\$\@DOMAIN1.TLD: updating zone 'Domain1.tld/NONE': update failed: rejected by secure update (REFUSED)
> Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: cancelling transaction on zone Domain1.tld
> 
> 
> Also, if I run the Trust-test on the Windows DC of Domain 2, I get the following error:
> “The secure channel (SC) verification on Active Directory Domain Controller \\dc01.domain1.tld of domain1.tld to domain domain2.tld failed with error: Access is denied.”
> 
> Does anybody have an idea, what we can do about this?

Sorry, but I doubt it, not from the information provided.
What version of Samba are the DCs running and on what OS ?
Was anything updated on any of the machines ? If so, what ?

This could be more fall out from Microsoft's last update.

Rowland

More information about the samba mailing list