xfwangbest
2013-Sep-05 19:13 UTC
[Samba] Fail to login from trusted AD: NT_STATUS_TRUSTED_DOMAIN_FAILURE
Hello I have two MS AD 2008 let's say AD1 and AD2. They have bi-direction trusted relationship. I have two linux servers joined into AD2, let's say LNX1 and LNX2. On LNX1, it can authenticate any users both from AD1 or AD2. Howerver, on LNX2, it can only authenticate users in AD2 but failed against AD1. It reports NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c). I'm sure the smb.conf have the same settings on LNX1 and LNX2. I set the log level = 3 but find nothing helpful in the log. I attach the conf and error as following, hope somebody can give me some tips. Thanks Leo The core section in smb.conf? [global] workgroup = AD1 realm = AD1.LOCAL security = ads idmap config * : range = 16777216-33554431 template shell = /bin/bash winbind use default domain = false winbind offline logon = false winbind enum users = yes winbind enum groups = yes The error: [root at dal05lnx02 samba]# wbinfo -a "AD1\username"%password plaintext password authentication failed Could not authenticate user AD1\username"%password with plaintext password challenge/response password authentication failed error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c) error message was: Trusted domain failure Could not authenticate user AD1\username with challenge/response [root at dal05lnx02 samba]# wbinfo -a "AD2\username"%password plaintext password authentication succeeded challenge/response password authentication succeeded [root at dal05lnx02 samba]# wbinfo -a "AD1\username"%password plaintext password authentication succeeded challenge/response password authentication succeeded [root at dal05lnx02 samba]# wbinfo -a "AD2\username"%password plaintext password authentication succeeded challenge/response password authentication succeeded
xfwangbest
2013-Sep-09 04:27 UTC
[Samba] 回复: Fail to login from trusted AD: NT_STATUS_TRUSTED_DOMAIN_FAILURE
Can someone kindly have a look? kinit works well both for AD1 and AD2 but winbind -a still failed. [root at dal05lnx02 ~]$ kinit xfwang at AD2.LOCAL Password for xfwang at AD2.LOCAL: [root at dal05lnx02 ~]$ [root at dal05lnx02 ~]$ kinit xfwang at AD2.LOCAL Password for xfwang at AD2.LOCAL: [root at dal05lnx02 ~]$ ???? xfwangbest ????? 2013-09-06 03:13 ???? samba ??? Fail to login from trusted AD: NT_STATUS_TRUSTED_DOMAIN_FAILURE Hello I have two MS AD 2008 let's say AD1 and AD2. They have bi-direction trusted relationship. I have two linux servers joined into AD2, let's say LNX1 and LNX2. On LNX1, it can authenticate any users both from AD1 or AD2. Howerver, on LNX2, it can only authenticate users in AD2 but failed against AD1. It reports NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c). I'm sure the smb.conf have the same settings on LNX1 and LNX2. I set the log level = 3 but find nothing helpful in the log. I attach the conf and error as following, hope somebody can give me some tips. Thanks Leo The core section in smb.conf? [global] workgroup = AD1 realm = AD1.LOCAL security = ads idmap config * : range = 16777216-33554431 template shell = /bin/bash winbind use default domain = false winbind offline logon = false winbind enum users = yes winbind enum groups = yes The error: [root at dal05lnx02 samba]# wbinfo -a "AD1\username"%password plaintext password authentication failed Could not authenticate user AD1\username"%password with plaintext password challenge/response password authentication failed error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c) error message was: Trusted domain failure Could not authenticate user AD1\username with challenge/response [root at dal05lnx02 samba]# wbinfo -a "AD2\username"%password plaintext password authentication succeeded challenge/response password authentication succeeded [root at dal05lnx01 samba]# wbinfo -a "AD1\username"%password plaintext password authentication succeeded challenge/response password authentication succeeded [root at dal05lnx01 samba]# wbinfo -a "AD2\username"%password plaintext password authentication succeeded challenge/response password authentication succeeded