Kent Nasveschuk
2014-Jun-09 15:33 UTC
[Samba] Samba AD member and connections from non-AD systems failing
Hello, I have a problem where non-AD systems can no longer connect to Samba shares. Samba 3.5.x servers are a members in AD, Windows 2008R2. This has worked flawlessly since we initiated it a couple years back. This happened to all 3 Samba servers after AD servers were rebooted. My thoughts are it was a Windows update that wrecked the system. Here is a typical setup: Winbind not used Samba version 3.5.10 on CentOS 6.x Group info comes from LDAP, nss_ldap. id <user name> returns group membership in LDAP. Groups have POSIX attributes. [global] workgroup = MBLAD realm = MBLAD.MBL.EDU encrypt passwords = Yes socket options = TCP_NODELAY security = ADS password server = <fqdn AD server> directory mask = 02770 server string = Samba 3.5.10 log file = /var/log/samba/samba.%m log level = 3 max log size = 50 admin users = @domain_admins restrict anonymous = 2 time server = Yes unix extensions = no logon script = interfaces = eth0 lo directory mask = 02770 logon path = logon drive = L: logon home = domain master = no dns proxy = no wins support = yes local master = yes preferred master = yes name resolve order = wins bcast dns os level = 64 printcap name = /etc/printcap load printers = no printing = cups show add printer wizard = no disable spoolss = yes kernel oplocks = no deadtime = 0 typical share: ... [SOME SHARE] ... valid users = "@ldap group" ... Error message in /var/log/samba/samba.<computer name> [2014/06/09 10:57:01, 0] auth/auth_domain.c:288(domain_client_validate) domain_client_validate: Domain password server not available. [2014/06/09 10:57:01, 5] auth/auth.c:274(check_ntlm_password) check_ntlm_password: winbind authentication for user [KN123456] FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE [2014/06/09 10:57:01, 2] auth/auth.c:320(check_ntlm_password) check_ntlm_password: Authentication for user [KN123456] -> [KN123456] FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE [2014/06/09 10:57:01, 5] auth/auth_util.c:2114(free_user_info) attempting to free (and zero) a user_info structure [2014/06/09 10:57:01, 10] auth/auth_util.c:2118(free_user_info) structure was created for KN123456 [2014/06/09 10:57:01, 3] smbd/error.c:60(error_packet_set) error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE [2014/06/09 10:57:01, 5] lib/util.c:632(show_msg) [2014/06/09 10:57:01, 5] lib/util.c:642(show_msg) Using nslookup on the AD servers, I can do a forward and reverse lookup of name/address net ads info returns good info. I deleted the computer from AD and rejoined the domain, that worked fine but made no difference. Is there something that might need to be tweeked in AD security policy to get this working? Starting winbind will fix the login issue, but now it is trying to get group info from AD and not nss_ldap, all our group info is in LDAP (used by other systems). Any help would be appreciated. Kent L. Nasveschuk Systems Administrator ---------------------------- Marine Biological Laboratory 7 MBL St. Woods Hole, MA 02543 http://www.mbl.edu
David Bear
2014-Jun-09 22:43 UTC
[Samba] Samba AD member and connections from non-AD systems failing
The last line in the debug says it all -- your samba servers lost their trust account with the AD. Options? Well, I don't know if there is an elegant way to tell AD to 'trust' your samba server again -- but you can always remove them and rejoin them to the domain. That will rebuild the trust. On Mon, Jun 9, 2014 at 8:33 AM, Kent Nasveschuk <knasveschuk at mbl.edu> wrote:> Hello, > I have a problem where non-AD systems can no longer connect to Samba > shares. Samba 3.5.x servers are a members in AD, Windows 2008R2. This has > worked flawlessly since we initiated it a couple years back. This happened > to all 3 Samba servers after AD servers were rebooted. My thoughts are it > was a Windows update that wrecked the system. Here is a typical setup: > > Winbind not used > Samba version 3.5.10 on CentOS 6.x > Group info comes from LDAP, nss_ldap. id <user name> returns group > membership in LDAP. Groups have POSIX attributes. > > [global] > workgroup = MBLAD > realm = MBLAD.MBL.EDU > encrypt passwords = Yes > socket options = TCP_NODELAY > security = ADS > password server = <fqdn AD server> > directory mask = 02770 > server string = Samba 3.5.10 > log file = /var/log/samba/samba.%m > log level = 3 > max log size = 50 > admin users = @domain_admins > restrict anonymous = 2 > time server = Yes > unix extensions = no > logon script > interfaces = eth0 lo > directory mask = 02770 > logon path > logon drive = L: > logon home > domain master = no > dns proxy = no > wins support = yes > local master = yes > preferred master = yes > name resolve order = wins bcast dns > os level = 64 > printcap name = /etc/printcap > load printers = no > printing = cups > show add printer wizard = no > disable spoolss = yes > kernel oplocks = no > deadtime = 0 > > typical share: > ... > [SOME SHARE] > ... > > valid users = "@ldap group" > ... > > > Error message in /var/log/samba/samba.<computer name> > > [2014/06/09 10:57:01, 0] auth/auth_domain.c:288(domain_client_validate) > domain_client_validate: Domain password server not available. > [2014/06/09 10:57:01, 5] auth/auth.c:274(check_ntlm_password) > check_ntlm_password: winbind authentication for user [KN123456] FAILED > with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE > [2014/06/09 10:57:01, 2] auth/auth.c:320(check_ntlm_password) > check_ntlm_password: Authentication for user [KN123456] -> [KN123456] > FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE > [2014/06/09 10:57:01, 5] auth/auth_util.c:2114(free_user_info) > attempting to free (and zero) a user_info structure > [2014/06/09 10:57:01, 10] auth/auth_util.c:2118(free_user_info) > structure was created for KN123456 > [2014/06/09 10:57:01, 3] smbd/error.c:60(error_packet_set) > error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) > NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE > [2014/06/09 10:57:01, 5] lib/util.c:632(show_msg) > [2014/06/09 10:57:01, 5] lib/util.c:642(show_msg) > > Using nslookup on the AD servers, I can do a forward and reverse lookup of > name/address > > net ads info returns good info. I deleted the computer from AD and > rejoined the domain, that worked fine but made no difference. > > Is there something that might need to be tweeked in AD security policy to > get this working? Starting winbind will fix the login issue, but now it is > trying to get group info from AD and not nss_ldap, all our group info is in > LDAP (used by other systems). Any help would be appreciated. > > Kent L. Nasveschuk > Systems Administrator > > ---------------------------- > Marine Biological Laboratory > 7 MBL St. > Woods Hole, MA 02543 > http://www.mbl.edu > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- David Bear mobile: (602) 903-6476