shridhar shetty
2016-Oct-12 16:08 UTC
[Samba] NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
Hi Team, I am facing problem with the trust relation which tends to break when there is temporary network connection break between a AD and samba server. Steps for reproducing the issue 1. Join a machine to a domain with AD server: xxx.xxx.com 2. Check the output of "wbinfo -t". Exits with a success. 3. Now remove connection to AD server xxx.xxx.com i.e Unable to ping AD etc. Here "wbinfo -t" exits with a failure. 4. Then Bring back the connection to AD. "wbinfo -t" still exits with a failure even when the AD server in online. 5. Only option left is to rejoin the machine to a domain. Can you help us fix this. I tried too many things and am running out of ideas. Would appreciate any kind of pointers. Thanks SAMBA version: Version 4.2.3 SAMBA server OS: Centos 7 SELINUX: disabled Below is my smb.conf file. -------------------------------------------- [global] security = user interfaces = em1 lo bind interfaces only = yes kerberos method = secrets and keytab workgroup = XXX netbios name = inmusbackup01 server string = FILE SERVER realm = XXX.XXX.COM #Winbindd configuration winbind separator = + winbind uid = 10000-20000 winbind gid = 10000-20000 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes template homedir = /home/%U template shell = /bin/bash winbind refresh tickets = yes #Setting Security level security = ads encrypt passwords = yes host msdfs = no #This shows the user his home directory in File Server. Every logged in user see his own home directory idmap uid = 16777216-33554431 idmap gid = 16777216-33554431 server services = winbindd log file = /var/log/samba/samba.log log level = 3 max log size = 500 load printers = no cups options = raw disable spoolss = yes printcap name = /dev/null -------------------------------------------- wbinfo -t output --- checking the trust secret for domain EIGI via RPC calls failed error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b) failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR Could not check secret ---
Rowland Penny
2016-Oct-12 16:53 UTC
[Samba] NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
On Wed, 12 Oct 2016 21:38:23 +0530 shridhar shetty via samba <samba at lists.samba.org> wrote:> Hi Team, > > I am facing problem with the trust relation which tends to break when > there is temporary network connection break between a AD and samba > server. > > Steps for reproducing the issue > 1. Join a machine to a domain with AD server: xxx.xxx.com > 2. Check the output of "wbinfo -t". Exits with a success. > 3. Now remove connection to AD server xxx.xxx.com i.e Unable to ping > AD etc. Here "wbinfo -t" exits with a failure. > 4. Then Bring back the connection to AD. "wbinfo -t" still exits with > a failure even when the AD server in online. > 5. Only option left is to rejoin the machine to a domain. > > Can you help us fix this. I tried too many things and am running out > of ideas. Would appreciate any kind of pointers. Thanks > > SAMBA version: Version 4.2.3 > SAMBA server OS: Centos 7 > SELINUX: disabled > > Below is my smb.conf file. > -------------------------------------------- > [global] > security = user > interfaces = em1 lo > bind interfaces only = yes > kerberos method = secrets and keytab > workgroup = XXX > netbios name = inmusbackup01 > server string = FILE SERVER > realm = XXX.XXX.COM > > #Winbindd configuration > winbind separator = + > winbind uid = 10000-20000 > winbind gid = 10000-20000 > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > template homedir = /home/%U > template shell = /bin/bash > winbind refresh tickets = yes > > #Setting Security level > security = ads > encrypt passwords = yes > > host msdfs = no > #This shows the user his home directory in File Server. Every logged > in user see his own home directory > idmap uid = 16777216-33554431 > idmap gid = 16777216-33554431 > server services = winbindd > > log file = /var/log/samba/samba.log > log level = 3 > max log size = 500 > load printers = no > cups options = raw > disable spoolss = yes > printcap name = /dev/null > -------------------------------------------- > > > wbinfo -t output > --- > checking the trust secret for domain EIGI via RPC calls failed > error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b) > failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR > Could not check secret > ---Can I suggest you go and read 'man smb.conf' as a starting point ? For instance 'winbind uid' is a synonym for 'idmap uid' and that 'idmap uid' is deprecated in favour of 'idmap config'. Also 'server services' is only meant to be on a DC. Or to put it another way, your smb.conf isn't anywhere near right ;-) Rowland
shridhar shetty
2016-Oct-12 20:56 UTC
[Samba] NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
My apologies for the same. I shamelessly borrowed these settings from existing working setup after mine was not working. Changed smb.conf file. But result is the same. wbinfo -u and wbinfo -g works and gives me users but wbinfo -t doesnt. [global] workgroup = xxxx netbios name = inmusbackup01 server string = FILE SERVER realm = xxx.xxx.COM #Winbindd configuration winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes template homedir = /home/%U template shell = /bin/bash winbind refresh tickets = yes #Setting Security level security = ads kerberos method = secrets and keytab encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config xxxx : backend = ad idmap config xxxx : range = 10000-999999 log file = /var/log/samba/samba.log log level = 3 max log size = 500 load printers = no On Wed, Oct 12, 2016 at 10:23 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 12 Oct 2016 21:38:23 +0530 > shridhar shetty via samba <samba at lists.samba.org> wrote: > > > Hi Team, > > > > I am facing problem with the trust relation which tends to break when > > there is temporary network connection break between a AD and samba > > server. > > > > Steps for reproducing the issue > > 1. Join a machine to a domain with AD server: xxx.xxx.com > > 2. Check the output of "wbinfo -t". Exits with a success. > > 3. Now remove connection to AD server xxx.xxx.com i.e Unable to ping > > AD etc. Here "wbinfo -t" exits with a failure. > > 4. Then Bring back the connection to AD. "wbinfo -t" still exits with > > a failure even when the AD server in online. > > 5. Only option left is to rejoin the machine to a domain. > > > > Can you help us fix this. I tried too many things and am running out > > of ideas. Would appreciate any kind of pointers. Thanks > > > > SAMBA version: Version 4.2.3 > > SAMBA server OS: Centos 7 > > SELINUX: disabled > > > > Below is my smb.conf file. > > -------------------------------------------- > > [global] > > security = user > > interfaces = em1 lo > > bind interfaces only = yes > > kerberos method = secrets and keytab > > workgroup = XXX > > netbios name = inmusbackup01 > > server string = FILE SERVER > > realm = XXX.XXX.COM > > > > #Winbindd configuration > > winbind separator = + > > winbind uid = 10000-20000 > > winbind gid = 10000-20000 > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = yes > > template homedir = /home/%U > > template shell = /bin/bash > > winbind refresh tickets = yes > > > > #Setting Security level > > security = ads > > encrypt passwords = yes > > > > host msdfs = no > > #This shows the user his home directory in File Server. Every logged > > in user see his own home directory > > idmap uid = 16777216-33554431 > > idmap gid = 16777216-33554431 > > server services = winbindd > > > > log file = /var/log/samba/samba.log > > log level = 3 > > max log size = 500 > > load printers = no > > cups options = raw > > disable spoolss = yes > > printcap name = /dev/null > > -------------------------------------------- > > > > > > wbinfo -t output > > --- > > checking the trust secret for domain EIGI via RPC calls failed > > error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b) > > failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR > > Could not check secret > > --- > > Can I suggest you go and read 'man smb.conf' as a starting point ? > For instance 'winbind uid' is a synonym for 'idmap uid' and that 'idmap > uid' is deprecated in favour of 'idmap config'. Also 'server services' > is only meant to be on a DC. > > Or to put it another way, your smb.conf isn't anywhere near right ;-) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Reasonably Related Threads
- NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
- NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
- NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
- NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
- NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC