samba - Oct 2016 - NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC

My apologies for the same. I shamelessly borrowed these settings from
existing working setup after mine was not working.

Changed smb.conf file.  But result is the same.
wbinfo -u and wbinfo -g works and gives me users but wbinfo -t doesnt.

[global]
workgroup = xxxx
netbios name = inmusbackup01
server string = FILE SERVER
realm = xxx.xxx.COM

#Winbindd configuration
winbind separator = +
winbind enum users = yes
winbind enum groups = yes
winbind use default domain = yes
template homedir = /home/%U
template shell = /bin/bash
winbind refresh tickets = yes

#Setting Security level
security = ads
kerberos method = secrets and keytab
encrypt passwords = yes

idmap config *:backend = tdb
idmap config *:range = 2000-9999
idmap config xxxx : backend  = ad
idmap config xxxx : range = 10000-999999

log file = /var/log/samba/samba.log
log level = 3
max log size = 500
load printers = no

On Wed, Oct 12, 2016 at 10:23 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Wed, 12 Oct 2016 21:38:23 +0530
> shridhar shetty via samba <samba at lists.samba.org> wrote:
>
> > Hi Team,
> >
> > I am facing problem with the trust relation which tends to break when
> > there is temporary network connection break between a AD and samba
> > server.
> >
> > Steps for reproducing the issue
> > 1. Join a machine to a domain with AD server: xxx.xxx.com
> > 2. Check the output of "wbinfo -t". Exits with a success.
> > 3. Now remove connection to AD server xxx.xxx.com i.e Unable to ping
> > AD etc. Here "wbinfo -t" exits with a failure.
> > 4. Then Bring back the connection to AD. "wbinfo -t" still
exits with
> > a failure even when the AD server in online.
> > 5. Only option left is to rejoin the machine to a domain.
> >
> > Can you help us fix this. I tried too many things and am running out
> > of ideas. Would appreciate any kind of pointers. Thanks
> >
> > SAMBA version: Version 4.2.3
> > SAMBA server OS: Centos 7
> > SELINUX: disabled
> >
> > Below is my smb.conf file.
> > --------------------------------------------
> > [global]
> > security = user
> > interfaces = em1 lo
> > bind interfaces only = yes
> > kerberos method = secrets and keytab
> > workgroup = XXX
> > netbios name = inmusbackup01
> > server string = FILE SERVER
> > realm = XXX.XXX.COM
> >
> > #Winbindd configuration
> > winbind separator = +
> > winbind uid = 10000-20000
> > winbind gid = 10000-20000
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind use default domain = yes
> > template homedir = /home/%U
> > template shell = /bin/bash
> > winbind refresh tickets = yes
> >
> > #Setting Security level
> > security = ads
> > encrypt passwords = yes
> >
> > host msdfs = no
> > #This shows the user his home directory in File Server. Every logged
> > in user see his own home directory
> > idmap uid = 16777216-33554431
> > idmap gid = 16777216-33554431
> > server services = winbindd
> >
> > log file = /var/log/samba/samba.log
> > log level = 3
> > max log size = 500
> > load printers = no
> > cups options = raw
> > disable spoolss = yes
> > printcap name = /dev/null
> > --------------------------------------------
> >
> >
> > wbinfo -t output
> > ---
> > checking the trust secret for domain EIGI via RPC calls failed
> > error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b)
> > failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
> > Could not check secret
> > ---
>
> Can I suggest you go and read 'man smb.conf' as a starting point ?
> For instance 'winbind uid' is a synonym for 'idmap uid' and
that 'idmap
> uid' is deprecated in favour of 'idmap config'. Also
'server services'
> is only meant to be on a DC.
>
> Or to put it another way, your smb.conf isn't anywhere near right ;-)
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Thu, 13 Oct 2016 02:26:08 +0530
shridhar shetty <shridhar.sanjeeva at gmail.com> wrote:
> My apologies for the same. I shamelessly borrowed these settings from
> existing working setup after mine was not working.
> 
> Changed smb.conf file.  But result is the same.
> wbinfo -u and wbinfo -g works and gives me users but wbinfo -t doesnt.
> 
> [global]
> workgroup = xxxx
> netbios name = inmusbackup01
> server string = FILE SERVER
> realm = xxx.xxx.COM
> 
> #Winbindd configuration
> winbind separator = +
> winbind enum users = yes
> winbind enum groups = yes
> winbind use default domain = yes
> template homedir = /home/%U
> template shell = /bin/bash
> winbind refresh tickets = yes
> 
> #Setting Security level
> security = ads
> kerberos method = secrets and keytab
> encrypt passwords = yes
> 
> idmap config *:backend = tdb
> idmap config *:range = 2000-9999
> idmap config xxxx : backend  = ad
> idmap config xxxx : range = 10000-999999
> 
Just a couple of questions, have you given your users a uidNumber
attribute containing a unique number inside 10000-999999 and Domain
Users a gidNumber inside the same range ?

Are you running the 'wbinfo -t' command as root ?

Rowland

Thanks Rowland,

I have been using "idmap config xxxx : backend  = rid" instead of
"ad". So
i understand that nothing is to be set from the windows AD side.

and i am running wbinfo -t as root user.

Few observations.
* I have multiple Active directory DCs. And in the site where the machine
is located, we have 2 ReadOnly DCs.
* On capturing network packets, I observed that the requests are being sent
to Readonly DCs. Should that be a problem?

Thanks
Shridhar


On Thu, Oct 13, 2016 at 12:44 PM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Thu, 13 Oct 2016 02:26:08 +0530
> shridhar shetty <shridhar.sanjeeva at gmail.com> wrote:
>
> > My apologies for the same. I shamelessly borrowed these settings from
> > existing working setup after mine was not working.
> >
> > Changed smb.conf file.  But result is the same.
> > wbinfo -u and wbinfo -g works and gives me users but wbinfo -t doesnt.
> >
> > [global]
> > workgroup = xxxx
> > netbios name = inmusbackup01
> > server string = FILE SERVER
> > realm = xxx.xxx.COM
> >
> > #Winbindd configuration
> > winbind separator = +
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind use default domain = yes
> > template homedir = /home/%U
> > template shell = /bin/bash
> > winbind refresh tickets = yes
> >
> > #Setting Security level
> > security = ads
> > kerberos method = secrets and keytab
> > encrypt passwords = yes
> >
> > idmap config *:backend = tdb
> > idmap config *:range = 2000-9999
> > idmap config xxxx : backend  = ad
> > idmap config xxxx : range = 10000-999999
> >
>
> Just a couple of questions, have you given your users a uidNumber
> attribute containing a unique number inside 10000-999999 and Domain
> Users a gidNumber inside the same range ?
>
> Are you running the 'wbinfo -t' command as root ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>