[Samba] **[EXTERNAL]**Re: Samba rejecting authentication from Windows machines

Kothe Patrik Patrik.Kothe at nanotronic.ch
Thu Jul 20 14:02:28 UTC 2023 

What version of Samba are the DCs running and on what OS ?
        --> They're still running on 4.13.17 and Debian 10 since that's the pre-packed version we started with and didn't dare to upgrade so far.
Was anything updated on any of the machines ? If so, what ?
        --> No. We had our monthly maintenance window but there were no upgrades to the Samba DCs
This could be more fall out from Microsoft's last update
        --> What do you mean with this? I haven't read anything in this direction while searching for the issue.

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Thursday, 20 July 2023 15:42
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: **[EXTERNAL]**Re: [Samba] Samba rejecting authentication from Windows machines



On 20/07/2023 14:28, Kothe Patrik via samba wrote:
> Hi everybody.
>
> First a short overview of our setup:
>
> We have 2 Samba DCs in Domain 1
> We use a Windows 10 Pro VM for the RSAT Tools which we access via RDP
> We have 1 Windows Server 2012 DC for Domain 2 Between Domain 1 and 2
> is a Trust for cross-domain file share access
>
> Since the last reboot of our samba DCs they suddenly started to block login attempts on the RSAT-VM and also the Trust to the other domain is broken.
>
> When trying to log in to the RSAT-VM the primary DC logs this:
>
> Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: starting
> transaction on zone Domain1.tld Jul 20 14:32:10 C-103-dc01
> named[2076966]: client @0x7fc5000c40d0 172.16.2.105#61179: update
> 'Domain1.tld/IN' denied Jul 20 14:32:10 C-103-dc01 named[2076966]:
> samba_dlz: cancelling transaction on zone Domain1.tld Jul 20 14:32:10
> C-103-dc01 named[2076966]: samba_dlz: starting transaction on zone
> Domain1.tld Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz:
> disallowing update of signer=RSAT-VM\$\@DOMAIN1.TLD
> name=RSAT-VM.Domain1.tld type=AAAA error=insufficient access rights
> Jul 20 14:32:10 C-103-dc01 named[2076966]: client @0x7fc5000c40d0
> 172.16.2.105#62717/key RSAT-VM\$\@DOMAIN1.TLD: updating zone
> 'Domain1.tld/NONE': update failed: rejected by secure update (REFUSED)
> Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: cancelling
> transaction on zone Domain1.tld
>
>
> Also, if I run the Trust-test on the Windows DC of Domain 2, I get the following error:
> “The secure channel (SC) verification on Active Directory Domain Controller \\dc01.domain1.tld of domain1.tld to domain domain2.tld failed with error: Access is denied.”
>
> Does anybody have an idea, what we can do about this?

Sorry, but I doubt it, not from the information provided.
What version of Samba are the DCs running and on what OS ?
Was anything updated on any of the machines ? If so, what ?

This could be more fall out from Microsoft's last update.

Rowland




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list