shridhar shetty
2016-Oct-12 20:56 UTC
[Samba] NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
My apologies for the same. I shamelessly borrowed these settings from existing working setup after mine was not working. Changed smb.conf file. But result is the same. wbinfo -u and wbinfo -g works and gives me users but wbinfo -t doesnt. [global] workgroup = xxxx netbios name = inmusbackup01 server string = FILE SERVER realm = xxx.xxx.COM #Winbindd configuration winbind separator = + winbind enum users = yes winbind enum groups = yes winbind use default domain = yes template homedir = /home/%U template shell = /bin/bash winbind refresh tickets = yes #Setting Security level security = ads kerberos method = secrets and keytab encrypt passwords = yes idmap config *:backend = tdb idmap config *:range = 2000-9999 idmap config xxxx : backend = ad idmap config xxxx : range = 10000-999999 log file = /var/log/samba/samba.log log level = 3 max log size = 500 load printers = no On Wed, Oct 12, 2016 at 10:23 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Wed, 12 Oct 2016 21:38:23 +0530 > shridhar shetty via samba <samba at lists.samba.org> wrote: > > > Hi Team, > > > > I am facing problem with the trust relation which tends to break when > > there is temporary network connection break between a AD and samba > > server. > > > > Steps for reproducing the issue > > 1. Join a machine to a domain with AD server: xxx.xxx.com > > 2. Check the output of "wbinfo -t". Exits with a success. > > 3. Now remove connection to AD server xxx.xxx.com i.e Unable to ping > > AD etc. Here "wbinfo -t" exits with a failure. > > 4. Then Bring back the connection to AD. "wbinfo -t" still exits with > > a failure even when the AD server in online. > > 5. Only option left is to rejoin the machine to a domain. > > > > Can you help us fix this. I tried too many things and am running out > > of ideas. Would appreciate any kind of pointers. Thanks > > > > SAMBA version: Version 4.2.3 > > SAMBA server OS: Centos 7 > > SELINUX: disabled > > > > Below is my smb.conf file. > > -------------------------------------------- > > [global] > > security = user > > interfaces = em1 lo > > bind interfaces only = yes > > kerberos method = secrets and keytab > > workgroup = XXX > > netbios name = inmusbackup01 > > server string = FILE SERVER > > realm = XXX.XXX.COM > > > > #Winbindd configuration > > winbind separator = + > > winbind uid = 10000-20000 > > winbind gid = 10000-20000 > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = yes > > template homedir = /home/%U > > template shell = /bin/bash > > winbind refresh tickets = yes > > > > #Setting Security level > > security = ads > > encrypt passwords = yes > > > > host msdfs = no > > #This shows the user his home directory in File Server. Every logged > > in user see his own home directory > > idmap uid = 16777216-33554431 > > idmap gid = 16777216-33554431 > > server services = winbindd > > > > log file = /var/log/samba/samba.log > > log level = 3 > > max log size = 500 > > load printers = no > > cups options = raw > > disable spoolss = yes > > printcap name = /dev/null > > -------------------------------------------- > > > > > > wbinfo -t output > > --- > > checking the trust secret for domain EIGI via RPC calls failed > > error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b) > > failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR > > Could not check secret > > --- > > Can I suggest you go and read 'man smb.conf' as a starting point ? > For instance 'winbind uid' is a synonym for 'idmap uid' and that 'idmap > uid' is deprecated in favour of 'idmap config'. Also 'server services' > is only meant to be on a DC. > > Or to put it another way, your smb.conf isn't anywhere near right ;-) > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2016-Oct-13 07:14 UTC
[Samba] NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
On Thu, 13 Oct 2016 02:26:08 +0530 shridhar shetty <shridhar.sanjeeva at gmail.com> wrote:> My apologies for the same. I shamelessly borrowed these settings from > existing working setup after mine was not working. > > Changed smb.conf file. But result is the same. > wbinfo -u and wbinfo -g works and gives me users but wbinfo -t doesnt. > > [global] > workgroup = xxxx > netbios name = inmusbackup01 > server string = FILE SERVER > realm = xxx.xxx.COM > > #Winbindd configuration > winbind separator = + > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > template homedir = /home/%U > template shell = /bin/bash > winbind refresh tickets = yes > > #Setting Security level > security = ads > kerberos method = secrets and keytab > encrypt passwords = yes > > idmap config *:backend = tdb > idmap config *:range = 2000-9999 > idmap config xxxx : backend = ad > idmap config xxxx : range = 10000-999999 >Just a couple of questions, have you given your users a uidNumber attribute containing a unique number inside 10000-999999 and Domain Users a gidNumber inside the same range ? Are you running the 'wbinfo -t' command as root ? Rowland
shridhar shetty
2016-Oct-13 13:29 UTC
[Samba] NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
Thanks Rowland, I have been using "idmap config xxxx : backend = rid" instead of "ad". So i understand that nothing is to be set from the windows AD side. and i am running wbinfo -t as root user. Few observations. * I have multiple Active directory DCs. And in the site where the machine is located, we have 2 ReadOnly DCs. * On capturing network packets, I observed that the requests are being sent to Readonly DCs. Should that be a problem? Thanks Shridhar On Thu, Oct 13, 2016 at 12:44 PM, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Thu, 13 Oct 2016 02:26:08 +0530 > shridhar shetty <shridhar.sanjeeva at gmail.com> wrote: > > > My apologies for the same. I shamelessly borrowed these settings from > > existing working setup after mine was not working. > > > > Changed smb.conf file. But result is the same. > > wbinfo -u and wbinfo -g works and gives me users but wbinfo -t doesnt. > > > > [global] > > workgroup = xxxx > > netbios name = inmusbackup01 > > server string = FILE SERVER > > realm = xxx.xxx.COM > > > > #Winbindd configuration > > winbind separator = + > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = yes > > template homedir = /home/%U > > template shell = /bin/bash > > winbind refresh tickets = yes > > > > #Setting Security level > > security = ads > > kerberos method = secrets and keytab > > encrypt passwords = yes > > > > idmap config *:backend = tdb > > idmap config *:range = 2000-9999 > > idmap config xxxx : backend = ad > > idmap config xxxx : range = 10000-999999 > > > > Just a couple of questions, have you given your users a uidNumber > attribute containing a unique number inside 10000-999999 and Domain > Users a gidNumber inside the same range ? > > Are you running the 'wbinfo -t' command as root ? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Possibly Parallel Threads
- NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
- NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
- NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
- NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC
- NT_STATUS_NO_TRUST_SAM_ACCOUNT after temporary connectivity break to AD DC