JL
2014-Jun-12 19:47 UTC
[Samba] access samba share getting NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE error VS. nullSessionPipes
SAMBA as a member server in an AD domain Access samba share from any client (e.g. windows 7) using AD domain credential, getting below error message: [ ---------- C:\tools>net use * \\sbdevsvr213.dev.ib.tor.scotiabank.com\fundmgr <file:///\\sbdevsvr213.dev.ib.tor.scotiabank.com\fundmgr> * /user:domainName\un System error 1789 has occurred. The trust relationship between this workstation and the primary domain failed. ------------- ] Below is the log: [ -------------- 2014/06/12 11:59:58, 0] auth/auth_domain.c:187(connect_to_domain_password_server) connect_to_domain_password_server: unable to open the domain client session to machine DCnameHere. Error was : NT_STATUS_ACCESS_DENIED. [2014/06/12 11:59:58, 0] auth/auth_domain.c:288(domain_client_validate) domain_client_validate: Domain password server not available. [2014/06/12 11:59:58, 2] auth/auth.c:320(check_ntlm_password) check_ntlm_password: Authentication for user [userName] -> [fmrun] FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE [2014/06/12 11:59:58, 3] smbd/error.c:60(error_packet_set) error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE ------------- ] This can be workaround by adding below values to nullSessionPipes on the DC: [-------- netlogon lsarpc samr browser srvsvc wkssvc ------ ] Note: one of above pipes did the trick, not sure which one, likely lsarpc The nullSessionPipes can be found at this place: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters it can also be set via group policy: Network access: Named Pipes that can be accessed anonymously Now my questions is, how can we make this work without enabling nullSessionPipes? We want to make the servers more secure by disabling anonymous access to anything. Thanks!