samba - Aug 2017 - SAMBA4 - Trusted relationship lost every Weeks

Hi All,

Answering to myself, this problem still occurs again and again, every 
week as I mentioned before.
Rejoining the domain each time for samba4 file server is the only 
workaround.

What could be the origin of this kind of problem?

Any answer would be helpfull

Regards

Le 17/07/2017 à 10:12, Julien TEHERY a écrit :
> Hello,
>
>
> We recently put in place a trust relationship between a Win2008 R2 AD 
> server (Domain A) and a samba PDC (sernet-samba 3.5.18-28) : DOMAIN B
>
> This works as expected and the bi directional relationship is stable. 
> Several services are using this trusted relationship without any problem.
>
>
> We recently added a fresh new samba4 file server ( Debian 8.7with 
> samba 4.2.14+dfsg-0+deb8u5) , which is joined to the AD domain (DOMAIN 
> A). This server is actually able to serve files for users from both 
> domains (A & B), as we can set up ACLs for every domain on it.
>
> The only trouble we encoutner is that every monday morning, it seems 
> that this samba4 server looses the approbation from AD server.
>
> Using smbclient we encounter this error:
>
>
> [SambaServer]:~#wbinfo -a "DOMAIN_B+myuser"
> Enter DOMAIN_B+myuser's password:
> plaintext password authentication failed
> Could not authenticate user DOMAIN_B+myuser with plaintext password
> Enter DOMAIN_B+myuser's password:
> challenge/response password authentication failed
> error code was NT_STATUS_TRUSTED_DOMAIN_FAILURE (0xc000018c)
> error message was: Trusted domain failure
> Could not authenticate user DOMAIN_B+myuser with challenge/response
>
> To make it work again, we have to disjoin/rejoin the server to the AD 
> domain, restart winbind and then samba.
>
> Putting debul loglevel on the samb4server itself, we don't see 
> anything particular in the logs. The fact is that this happens every 
> monday morning.
>
> Is there anything particular I should know on Win2008 Domain side 
> (something regarding the sambaserver machine account?)
>
>
> FYI, relationship between the 2 domains has been setup with a 
> dedicated account which has the "I" flag (InterDomain trust) on
DOMAIN B.
>
> My guess is that relationship is fine, but samba4 server on Domain A 
> looses periodically is mind for a reason I don't know.
>
>
> If any of you have an idea or experienced something similar, please 
> let me know! :)
>
>

On Sun, 13 Aug 2017 10:42:44 +0200
Julien TEHERY via samba <samba at lists.samba.org> wrote:
> Hi All,
> 
> Answering to myself, this problem still occurs again and again, every 
> week as I mentioned before.
> Rejoining the domain each time for samba4 file server is the only 
> workaround.
> 
> What could be the origin of this kind of problem?
> 
Can you post your smb.conf.

Rowland

Hi,


Here is our smb.conf.

Please note that this server uses nss resolution for DOMAIN_B users and 
idmap_ldap backend to resolve DOMAIN_A users.

Trusted relationship between works well for other services between those 
two domains. Only samba4 fileserver needs to rejoin DOMAIN_A domain (AD 
2008 server) every week.

#======================= Global Settings 
====================================[global]
         server string = FILESERVER
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         realm = DOMAIN_A
         workgroup = DOMAIN_A
         os level = 80
         bind interfaces only = yes
         interfaces = eth0

         ## Encoding ##
         dos charset = 850
         #display charset = UTF8

         ## Name resolution ##
         dns proxy = no
         wins support = no
         name resolve order =  host wins bcast lmhosts

         ## Logs ##
         max log size = 50
         log level = 10
         log file = /var/log/samba/%m.log
         syslog only = no
         syslog = 0
         panic action = /usr/share/samba/panic-action %d

         ## Passwords ##
         security = ADS
         encrypt passwords = true
         unix password sync = no
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n .
         invalid users = root

         ## Restrictions ##
         hide special files = no
         hide unreadable = no
         hide dot files = no

         ## Resolve office save problems ##
         oplocks = no

         ## ACL SUPPORT ##
         nt acl support = yes
         acl check permissions = yes
         acl group control = yes

     # WINBIND
     ldap ssl =off
     ldap admin dn = cn=SuperUser,dc=domain_a,dc=com
     ldap suffix = dc=domain_a,dc=xm
         ldap timeout = 90
         ldap connection timeout = 20
         winbind nested groups = yes
         winbind expand groups = yes
         winbind cache time = 5
         winbind enum users = yes
         winbind enum groups = yes
         winbind separator = +
         winbind use default domain = no
         allow trusted domains = yes

     # IDMAP MDMAD XM
     #GLOBAL
         idmap config *: backend = tdb
         idmap config *: range = 19000-19999
     #DOMAIN_A
     idmap config DOMAIN_A : backend      = ldap
     idmap config DOMAIN_A : range        = 20000-9999999999
     idmap config DOMAIN_A : ldap_url     = ldap://myldap.domain_a.com
     idmap config DOMAIN_A : ldap_base_dn = ou=Idmap,dc=domain_a,dc=com
     idmap config DOMAIN_A : ldap_user_dn = cn=SuperUser,dc=domain_a,dc=com
     #DOMAIN_B
         idmap config DOMAIN_B backend      = nss
         idmap config DOMAIN_B: range = 500-19000

         guest account = nobody
         map to guest = Bad User


Le 13/08/2017 à 10:58, Rowland Penny via samba a écrit :
> On Sun, 13 Aug 2017 10:42:44 +0200
> Julien TEHERY via samba <samba at lists.samba.org> wrote:
>
>> Hi All,
>>
>> Answering to myself, this problem still occurs again and again, every
>> week as I mentioned before.
>> Rejoining the domain each time for samba4 file server is the only
>> workaround.
>>
>> What could be the origin of this kind of problem?
>>
> Can you post your smb.conf.
>
> Rowland
>