Kathy
2011-Mar-24 03:05 UTC
[Samba] Need urgent help. trust relationship problem during authentication
We have an urgent problem that we've been spending hours on to no avail.
We have a RHEL 5.2 server that is running Samba 3.2.8 and was set up
for domain authentication against our PDC. It was running fine until
I decided to try and change it to "ads" authentication. I then
realized that we needed to keep it on "domain" because of the version
of Clearcase we have on the machine, so I went to change it back and
ever since then, users can't authenticate. Our PDC is running
Microsoft 2008 R2.
The way I have changed back and forth is this:
1. Shut down Samba
2. Remove the Samba server (Flint) from the domain by going onto the
DC and removing it.
3. Run: kinit Administrator at OURDOMAIN.COM
4. Run: net rpc join -U Administrator
5. Start Samba again
Whenever I do that, it appears to join the domain okay, but if you try
to connect to the Samba server via \\flint you get the following
pop-up from a Windows XP box:
The trust relationship between this workstation and the primary domain failed.
In the client logs we see:
check_ntlm_password: Authentication for user [banshee] -> [banshee]
FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
I have tried this:
net rpc changetrustpw
Did not help.
It looks like it joined the domain okay, but for some reason
authentication is not happening.
[root at flint samba]# net rpc testjoin
Join to 'OURDOMAIN' is OK
Below are some outputs from testparam and what our krb.conf file looks like.
If anyone has any ideas, please let me know. This is causing an
entire group to be down while this isn't working.
Thanks!
Kathy
[root at flint samba]# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
[global]
workgroup = OURDOMAIN
realm = OURDOMAIN.COM
server string = Flint Samba Server
security = DOMAIN
password server = togiak.ourdomain.com
username map = /etc/samba/username.map
log level = 2
log file = /var/log/samba/log.%m
max log size = 100000
deadtime = 15
dns proxy = No
kernel oplocks = No
lock directory = /var/log/samba/locks
host msdfs = No
invalid users = @root, @wheel, @bin, @sys, @admin
create mask = 0775
directory mask = 0775
case sensitive = No
map archive = No
oplocks = No
level2 oplocks = No
dont descend = /proc,/dev
fake directory create times = Yes
/etc/krv5.conf looks like this:
[root at flint samba]# more /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm= OURDOMAIN.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
OURDOMAIN.COM= {
kdc= togiak.ourdomain.com
admin_server= togiak.ourdomain.com
default_domain= ourdomain.com
}
[domain_realm]
.togiak.ourdomain.com = OURDOMAIN.COM
ourdomain.com = OURDOMAIN.COM
Maybe Matching Threads
- RESOLVED: Need urgent help. trust relationship problem during authentication
- Authenticate users through an AD trust
- samba>=3.0.4 - no more smbpasswd ? no more local auth when joined to domain ?
- samba>=3.0.4 - no more smbpasswd ? no more local auth whenjoined to domain ?
- SOLVED Symlink outside the share path
Wisdom of the Ancients
