Rowland Penny
2023-Jul-20 13:42 UTC
[Samba] Samba rejecting authentication from Windows machines
On 20/07/2023 14:28, Kothe Patrik via samba wrote:> Hi everybody. > > First a short overview of our setup: > > We have 2 Samba DCs in Domain 1 > We use a Windows 10 Pro VM for the RSAT Tools which we access via RDP > We have 1 Windows Server 2012 DC for Domain 2 > Between Domain 1 and 2 is a Trust for cross-domain file share access > > Since the last reboot of our samba DCs they suddenly started to block login attempts on the RSAT-VM and also the Trust to the other domain is broken. > > When trying to log in to the RSAT-VM the primary DC logs this: > > Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: starting transaction on zone Domain1.tld > Jul 20 14:32:10 C-103-dc01 named[2076966]: client @0x7fc5000c40d0 172.16.2.105#61179: update 'Domain1.tld/IN' denied > Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: cancelling transaction on zone Domain1.tld > Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: starting transaction on zone Domain1.tld > Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: disallowing update of signer=RSAT-VM\$\@DOMAIN1.TLD name=RSAT-VM.Domain1.tld type=AAAA error=insufficient access rights > Jul 20 14:32:10 C-103-dc01 named[2076966]: client @0x7fc5000c40d0 172.16.2.105#62717/key RSAT-VM\$\@DOMAIN1.TLD: updating zone 'Domain1.tld/NONE': update failed: rejected by secure update (REFUSED) > Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: cancelling transaction on zone Domain1.tld > > > Also, if I run the Trust-test on the Windows DC of Domain 2, I get the following error: > ?The secure channel (SC) verification on Active Directory Domain Controller \\dc01.domain1.tld of domain1.tld to domain domain2.tld failed with error: Access is denied.? > > Does anybody have an idea, what we can do about this?Sorry, but I doubt it, not from the information provided. What version of Samba are the DCs running and on what OS ? Was anything updated on any of the machines ? If so, what ? This could be more fall out from Microsoft's last update. Rowland
Kothe Patrik
2023-Jul-20 14:02 UTC
[Samba] **[EXTERNAL]**Re: Samba rejecting authentication from Windows machines
What version of Samba are the DCs running and on what OS ? --> They're still running on 4.13.17 and Debian 10 since that's the pre-packed version we started with and didn't dare to upgrade so far. Was anything updated on any of the machines ? If so, what ? --> No. We had our monthly maintenance window but there were no upgrades to the Samba DCs This could be more fall out from Microsoft's last update --> What do you mean with this? I haven't read anything in this direction while searching for the issue. -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Thursday, 20 July 2023 15:42 To: samba at lists.samba.org Cc: Rowland Penny <rpenny at samba.org> Subject: **[EXTERNAL]**Re: [Samba] Samba rejecting authentication from Windows machines On 20/07/2023 14:28, Kothe Patrik via samba wrote:> Hi everybody. > > First a short overview of our setup: > > We have 2 Samba DCs in Domain 1 > We use a Windows 10 Pro VM for the RSAT Tools which we access via RDP > We have 1 Windows Server 2012 DC for Domain 2 Between Domain 1 and 2 > is a Trust for cross-domain file share access > > Since the last reboot of our samba DCs they suddenly started to block login attempts on the RSAT-VM and also the Trust to the other domain is broken. > > When trying to log in to the RSAT-VM the primary DC logs this: > > Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: starting > transaction on zone Domain1.tld Jul 20 14:32:10 C-103-dc01 > named[2076966]: client @0x7fc5000c40d0 172.16.2.105#61179: update > 'Domain1.tld/IN' denied Jul 20 14:32:10 C-103-dc01 named[2076966]: > samba_dlz: cancelling transaction on zone Domain1.tld Jul 20 14:32:10 > C-103-dc01 named[2076966]: samba_dlz: starting transaction on zone > Domain1.tld Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: > disallowing update of signer=RSAT-VM\$\@DOMAIN1.TLD > name=RSAT-VM.Domain1.tld type=AAAA error=insufficient access rights > Jul 20 14:32:10 C-103-dc01 named[2076966]: client @0x7fc5000c40d0 > 172.16.2.105#62717/key RSAT-VM\$\@DOMAIN1.TLD: updating zone > 'Domain1.tld/NONE': update failed: rejected by secure update (REFUSED) > Jul 20 14:32:10 C-103-dc01 named[2076966]: samba_dlz: cancelling > transaction on zone Domain1.tld > > > Also, if I run the Trust-test on the Windows DC of Domain 2, I get the following error: > ?The secure channel (SC) verification on Active Directory Domain Controller \\dc01.domain1.tld of domain1.tld to domain domain2.tld failed with error: Access is denied.? > > Does anybody have an idea, what we can do about this?Sorry, but I doubt it, not from the information provided. What version of Samba are the DCs running and on what OS ? Was anything updated on any of the machines ? If so, what ? This could be more fall out from Microsoft's last update. Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Possibly Parallel Threads
- Samba rejecting authentication from Windows machines
- Samba rejecting authentication from Windows machines
- Fwd: **[EXTERNAL]**Re: **[EXTERNAL]**Re: Samba rejecting authentication from Windows machines
- Samba rejecting authentication from Windows machines
- **[EXTERNAL]**Re: Samba rejecting authentication from Windows machines