samba - Nov 2016 - Windows 7 login fails after server crash

This morning due a a power outage our samba servers crashed.  All looked 
OK at reboot (at first) -  users  who had stayed logged in could still 
access shares.

However users who tried to log back into the network got the "The trust 
relationship between this workstation and the primary domain failed" 
message.  Removing a machine from domain and rejoining did not help.

Servers are a classic domain, samba 3.6.25 on Solaris 11 with Solaris 
patch idr2408 to install  BADLOCK fixes (in order to fix compatibility 
with  linux samba 4.x member servers and as well as to fix a trust issue 
with a Windows 2008 AD domain.)     I had applied this patch several 
weeks ago and restarted samba services but not restarted the server.   
    Removing the patch  from the domain controllers and primary file 
server seemed to fix the problem.


As part to patch, I also added  "server signing = No"  to smb.conf
since
the new default seemed to be to enable it.

Guessing some schannel thing ?


I didn't see anything definitive in any logs.


I may compile samba 4.4.x in case samba 3.x has some other compatibility 
issues I don't know about.

Appreciate any insight or suggestions.

Thanks

Upgrading domain controllers to Samba 4.4.7 seems to fix the "trust 
relationship" with the Windows clients.

But it seems to have broken trust issues with some of the Samba 3.6.25 
member servers.


        root at member1:~# net rpc testjoin
        Connection failed: NT_STATUS_ACCESS_DENIED
        Join to domain 'MYDOMAIN' is not valid: NT_STATUS_ACCESS_DENIED


        root at member1:~# testparm -v | grep sign
        ....
        Server role: ROLE_DOMAIN_MEMBER
        ....
                 client signing = required
                 client ipc signing = required
                 server signing = No
        root at member1:~#



Updating smb.conf with

         client signing = auto
         client ipc signing = auto

seems to have partially resolved the issue.

        root at member1:~# net rpc testjoin
        Join to 'MYDOMAIN' is OK
        root at member1:~#


But I was still unable to access shares on the member server windows 
windows.  (user authentication seems to fail.)


I reverted by samba DC's back to unpatched 3.6.25 (and restored the 
/etc/samba/private and /var/samba/locks directories from the night before.)




On 11/03/16 16:18, Gaiseric Vandal wrote:
> This morning due a a power outage our samba servers crashed.  All 
> looked OK at reboot (at first) -  users  who had stayed logged in 
> could still access shares.
>
> However users who tried to log back into the network got the "The 
> trust relationship between this workstation and the primary domain 
> failed" message.  Removing a machine from domain and rejoining did not
> help.
>
> Servers are a classic domain, samba 3.6.25 on Solaris 11 with Solaris 
> patch idr2408 to install  BADLOCK fixes (in order to fix compatibility 
> with  linux samba 4.x member servers and as well as to fix a trust 
> issue with a Windows 2008 AD domain.)     I had applied this patch 
> several weeks ago and restarted samba services but not restarted the 
> server.      Removing the patch  from the domain controllers and 
> primary file server seemed to fix the problem.
>
>
> As part to patch, I also added  "server signing = No"  to
smb.conf
> since the new default seemed to be to enable it.
>
> Guessing some schannel thing ?
>
>
> I didn't see anything definitive in any logs.
>
>
> I may compile samba 4.4.x in case samba 3.x has some other 
> compatibility issues I don't know about.
>
> Appreciate any insight or suggestions.
>
> Thanks
>
>