samba - Sep 2013 - Fail to login from trusted AD: NT_STATUS_TRUSTED_DOMAIN_FAILURE

Hello

I have two MS AD 2008 let's say AD1 and AD2. They have bi-direction trusted
relationship.  I have two linux servers joined into AD2, let's say LNX1 and
LNX2.
On LNX1, it can authenticate any users both from AD1 or AD2. Howerver, on LNX2,
it can only authenticate users in AD2 but failed against AD1. It reports
NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c).
I'm sure the smb.conf have the same settings on LNX1 and LNX2. I set the log
level = 3 but find nothing helpful in the log.

I attach the conf and error as following, hope somebody can give me some tips.
Thanks

Leo


The core section in smb.conf?
[global]
   workgroup = AD1
   realm = AD1.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = false
   winbind offline logon = false
   winbind enum users = yes
   winbind enum groups = yes

The error:
[root at dal05lnx02 samba]# wbinfo -a "AD1\username"%password
plaintext password authentication failed
Could not authenticate user AD1\username"%password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c)
error message was: Trusted domain failure
Could not authenticate user AD1\username with challenge/response
[root at dal05lnx02 samba]# wbinfo -a "AD2\username"%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

[root at dal05lnx02 samba]# wbinfo -a "AD1\username"%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root at dal05lnx02 samba]# wbinfo -a "AD2\username"%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

Can someone kindly have a look?

kinit works well both for AD1 and AD2 but winbind -a still failed.

[root at dal05lnx02 ~]$ kinit xfwang at AD2.LOCAL
Password for xfwang at AD2.LOCAL:
[root at dal05lnx02 ~]$

[root at dal05lnx02 ~]$ kinit xfwang at AD2.LOCAL
Password for xfwang at AD2.LOCAL:
[root at dal05lnx02 ~]$


???? xfwangbest
????? 2013-09-06 03:13
???? samba
??? Fail to login from trusted AD: NT_STATUS_TRUSTED_DOMAIN_FAILURE

Hello

I have two MS AD 2008 let's say AD1 and AD2. They have bi-direction trusted
relationship.  I have two linux servers joined into AD2, let's say LNX1 and
LNX2.
On LNX1, it can authenticate any users both from AD1 or AD2. Howerver, on LNX2,
it can only authenticate users in AD2 but failed against AD1. It reports
NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c).
I'm sure the smb.conf have the same settings on LNX1 and LNX2. I set the log
level = 3 but find nothing helpful in the log.

I attach the conf and error as following, hope somebody can give me some tips.
Thanks

Leo


The core section in smb.conf?
[global]
   workgroup = AD1
   realm = AD1.LOCAL
   security = ads
   idmap config * : range = 16777216-33554431
   template shell = /bin/bash
   winbind use default domain = false
   winbind offline logon = false
   winbind enum users = yes
   winbind enum groups = yes

The error:
[root at dal05lnx02 samba]# wbinfo -a "AD1\username"%password
plaintext password authentication failed
Could not authenticate user AD1\username"%password with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c)
error message was: Trusted domain failure
Could not authenticate user AD1\username with challenge/response
[root at dal05lnx02 samba]# wbinfo -a "AD2\username"%password
plaintext password authentication succeeded
challenge/response password authentication succeeded

[root at dal05lnx01 samba]# wbinfo -a "AD1\username"%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
[root at dal05lnx01 samba]# wbinfo -a "AD2\username"%password
plaintext password authentication succeeded
challenge/response password authentication succeeded