samba - May 2009 - Strange problem with Samba as AD member

Dear all,
 
I've a real strange problem with one of my Samba-servers.  Most of the time
a lot of users get the message
about "trust relationship failure" when trying to access the share on
this server.  Below you find part of a log
where the user can access the share and a few seconds later it's no longer
possible. "net ads testjoin" shows
that join of the samba-server is still valid, removing and rejoining the server
from AD didn't help.
 
Some additional information:
- samba-server and users facing this problem are located on a remote site (with
its own DC)
- access to another samba-server at the remote site for users facing the problem
works at any time!
- access to the share on the samba-server having the problems from my site
(different DC) works at any time!
 
 
[2009/05/28 10:49:57,  1, pid=31019, effective(0, 0), real(0, 0)]
smbd/sesssetup.c:reply_spnego_kerberos(474)
  Username WW300\SK16963C$ is invalid on this system
[2009/05/28 10:49:57,  1, pid=31019, effective(0, 0), real(0, 0)]
smbd/session.c:session_claim(112)
  Re-using invalid record
[2009/05/28 10:49:57,  1, pid=31019, effective(51043, 2700), real(0, 0)]
smbd/service.c:make_connection_snum(1111)
  sk16963c (::ffff:163.242.60.65) connect to service views_copl initially as
user sk1u04w8 (uid=51043, gid=2700) (pid 31019)
[2009/05/28 10:50:06,  1, pid=31019, effective(0, 0), real(0, 0)]
smbd/service.c:close_cnum(1323)
  sk16963c (::ffff:163.242.60.65) closed connection to service views_copl
[2009/05/28 10:50:07,  0, pid=31024, effective(0, 0), real(0, 0)]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(3352)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server
SKZAAM100A.WW300.SIEMENS.NET for domain WW300.
[2009/05/28 10:50:07,  0, pid=31024, effective(0, 0), real(0, 0)]
auth/auth_domain.c:connect_to_domain_password_server(187)
  connect_to_domain_password_server: unable to open the domain client session to
machine SKZAAM100A.WW300.SIEMENS.NET. Error was : NT_STATUS_ACCESS_DENIED.
[2009/05/28 10:50:07,  0, pid=31024, effective(0, 0), real(0, 0)]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(3352)
  cli_rpc_pipe_open_schannel: failed to get schannel session key from server
SKZAAM100A.WW300.SIEMENS.NET for domain WW300.
[2009/05/28 10:50:07,  0, pid=31024, effective(0, 0), real(0, 0)]
auth/auth_domain.c:connect_to_domain_password_server(187)
  connect_to_domain_password_server: unable to open the domain client session to
machine SKZAAM100A.WW300.SIEMENS.NET. Error was : NT_STATUS_ACCESS_DENIED.

any idea what can cause this problem?
 
thanks a lot,
christian
 
p.s.: here's the global-section of my smb.conf
 
# Global parameters
[global]
        workgroup = WW300
        netbios name = SK16822C
        server string = Samba %v CC-View-Server
        security = ADS
        realm = WW300.SIEMENS.NET
        password server = *
        client use spnego = yes
        username map = /etc/samba/smbusers
        smb ports = 139
        log file = /var/log/samba/log.%m
        debug pid = Yes
        debug uid = Yes
        name resolve order = host wins bcast
        deadtime = 15
        machine password timeout = 0
        os level = 0
        preferred master = No
        local master = No
        domain master = No
        browse list = No
        dns proxy = No
        wins support = No
        wins server = <ip-of wins-server>
        ldap ssl = no
        eventlog list = Security, Application, Syslog, Apache
        utmp = Yes
        idmap uid = 200000-230000
        idmap gid = 50000-60000
        template homedir = /home/%U
        template shell = /bin/bash
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        hide dot files = No
        dos filetime resolution = Yes
        fake directory create times = Yes
        host msdfs = no
        msdfs root = no
        load printers = no
        printing = bsd
        browsable = no
        restrict anonymous = 2
        null passwords = no
        guest account = nobody
        kernel oplocks = No
        oplocks =No
        level2 oplocks = No
 
 
 

___________________________________________________________

        Christian Masopust

        SIEMENS AG  SIS SDE SVI CON IPB
        Tel:   +43 (0) 5 1707 26866
        E-mail: christian.masopust@siemens.com
        Addr: Austria, 1210 Vienna, Siemensstra?e 90-92, B. 33, Rm. 243

        Leader of the RUGA
<http://www.rational-ug.org/groups.php?groupid=119>

        Firma: Siemens Aktiengesellschaft ?sterreich, Rechtsform:
Aktiengesellschaft,
        Sitz: Wien, Firmenbuchnummer: FN 60562 m, 
        Firmenbuchgericht: Handelsgericht Wien, DVR 0001708 
        ___________________________________________________________

the problem cause could be
 kerberos clock skew "kerberos server time vs. and machines time"




On Thu, May 28, 2009 at 11:12 AM, Masopust, Christian
<christian.masopust at siemens.com> wrote:
> Dear all,
>
> I've a real strange problem with one of my Samba-servers. ?Most of the
time a lot of users get the message
> about "trust relationship failure" when trying to access the
share on this server. ?Below you find part of a log
> where the user can access the share and a few seconds later it's no
longer possible. "net ads testjoin" shows
> that join of the samba-server is still valid, removing and rejoining the
server from AD didn't help.
>
> Some additional information:
> - samba-server and users facing this problem are located on a remote site
(with its own DC)
> - access to another samba-server at the remote site for users facing the
problem works at any time!
> - access to the share on the samba-server having the problems from my site
(different DC) works at any time!
>
>
> [2009/05/28 10:49:57, ?1, pid=31019, effective(0, 0), real(0, 0)]
smbd/sesssetup.c:reply_spnego_kerberos(474)
> ?Username WW300\SK16963C$ is invalid on this system
> [2009/05/28 10:49:57, ?1, pid=31019, effective(0, 0), real(0, 0)]
smbd/session.c:session_claim(112)
> ?Re-using invalid record
> [2009/05/28 10:49:57, ?1, pid=31019, effective(51043, 2700), real(0, 0)]
smbd/service.c:make_connection_snum(1111)
> ?sk16963c (::ffff:163.242.60.65) connect to service views_copl initially as
user sk1u04w8 (uid=51043, gid=2700) (pid 31019)
> [2009/05/28 10:50:06, ?1, pid=31019, effective(0, 0), real(0, 0)]
smbd/service.c:close_cnum(1323)
> ?sk16963c (::ffff:163.242.60.65) closed connection to service views_copl
> [2009/05/28 10:50:07, ?0, pid=31024, effective(0, 0), real(0, 0)]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(3352)
> ?cli_rpc_pipe_open_schannel: failed to get schannel session key from server
SKZAAM100A.WW300.SIEMENS.NET for domain WW300.
> [2009/05/28 10:50:07, ?0, pid=31024, effective(0, 0), real(0, 0)]
auth/auth_domain.c:connect_to_domain_password_server(187)
> ?connect_to_domain_password_server: unable to open the domain client
session to machine SKZAAM100A.WW300.SIEMENS.NET. Error was :
NT_STATUS_ACCESS_DENIED.
> [2009/05/28 10:50:07, ?0, pid=31024, effective(0, 0), real(0, 0)]
rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(3352)
> ?cli_rpc_pipe_open_schannel: failed to get schannel session key from server
SKZAAM100A.WW300.SIEMENS.NET for domain WW300.
> [2009/05/28 10:50:07, ?0, pid=31024, effective(0, 0), real(0, 0)]
auth/auth_domain.c:connect_to_domain_password_server(187)
> ?connect_to_domain_password_server: unable to open the domain client
session to machine SKZAAM100A.WW300.SIEMENS.NET. Error was :
NT_STATUS_ACCESS_DENIED.
>
> any idea what can cause this problem?
>
> thanks a lot,
> christian
>
> p.s.: here's the global-section of my smb.conf
>
> # Global parameters
> [global]
> ? ? ? ?workgroup = WW300
> ? ? ? ?netbios name = SK16822C
> ? ? ? ?server string = Samba %v CC-View-Server
> ? ? ? ?security = ADS
> ? ? ? ?realm = WW300.SIEMENS.NET
> ? ? ? ?password server = *
> ? ? ? ?client use spnego = yes
> ? ? ? ?username map = /etc/samba/smbusers
> ? ? ? ?smb ports = 139
> ? ? ? ?log file = /var/log/samba/log.%m
> ? ? ? ?debug pid = Yes
> ? ? ? ?debug uid = Yes
> ? ? ? ?name resolve order = host wins bcast
> ? ? ? ?deadtime = 15
> ? ? ? ?machine password timeout = 0
> ? ? ? ?os level = 0
> ? ? ? ?preferred master = No
> ? ? ? ?local master = No
> ? ? ? ?domain master = No
> ? ? ? ?browse list = No
> ? ? ? ?dns proxy = No
> ? ? ? ?wins support = No
> ? ? ? ?wins server = <ip-of wins-server>
> ? ? ? ?ldap ssl = no
> ? ? ? ?eventlog list = Security, Application, Syslog, Apache
> ? ? ? ?utmp = Yes
> ? ? ? ?idmap uid = 200000-230000
> ? ? ? ?idmap gid = 50000-60000
> ? ? ? ?template homedir = /home/%U
> ? ? ? ?template shell = /bin/bash
> ? ? ? ?winbind enum users = Yes
> ? ? ? ?winbind enum groups = Yes
> ? ? ? ?winbind use default domain = Yes
> ? ? ? ?hide dot files = No
> ? ? ? ?dos filetime resolution = Yes
> ? ? ? ?fake directory create times = Yes
> ? ? ? ?host msdfs = no
> ? ? ? ?msdfs root = no
> ? ? ? ?load printers = no
> ? ? ? ?printing = bsd
> ? ? ? ?browsable = no
> ? ? ? ?restrict anonymous = 2
> ? ? ? ?null passwords = no
> ? ? ? ?guest account = nobody
> ? ? ? ?kernel oplocks = No
> ? ? ? ?oplocks =No
> ? ? ? ?level2 oplocks = No
>
>
>
>
> ___________________________________________________________
>
> ? ? ? ?Christian Masopust
>
> ? ? ? ?SIEMENS AG ?SIS SDE SVI CON IPB
> ? ? ? ?Tel: ? +43 (0) 5 1707 26866
> ? ? ? ?E-mail: christian.masopust at siemens.com
> ? ? ? ?Addr: Austria, 1210 Vienna, Siemensstra?e 90-92, B. 33, Rm. 243
>
> ? ? ? ?Leader of the RUGA
<http://www.rational-ug.org/groups.php?groupid=119>
>
> ? ? ? ?Firma: Siemens Aktiengesellschaft ?sterreich, Rechtsform:
Aktiengesellschaft,
> ? ? ? ?Sitz: Wien, Firmenbuchnummer: FN 60562 m,
> ? ? ? ?Firmenbuchgericht: Handelsgericht Wien, DVR 0001708
> ? ? ? ?___________________________________________________________
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: ?https://lists.samba.org/mailman/options/samba
>