samba - Aug 2025 - Server 2022 joined to Samba AD DC domain - RDP fails with event 4625 and status 0xC000018D (STATUS_TRUSTED_RELATIONSHIP_FAILURE)

Hi there, 

At the moment I'm trying to solve a problem with a Windows Server 2022 that
is to be used as a Remote Desktop Services (RDS) host.
We have a Samba AD DC and a file server (both Debian Linux) and some client
machines. That's been working fine for some years.

Now there's also one Windows Server 2022 Standard which is freshly set up
and joined to the Samba AD. A RDS license pack (per-user) has been setup and is
shown correctly.

Using the Samba Domain Administrator account I can login interactively (locally
or through ILO remote console).
Then I can browse to the file server (different Samba/Linux machine) and access
all of its shares without login prompt as I'd expect.

But when we try to login through Remmina and RDP, the login does not succeed (no
login screen shown) and the Remmina login prompt reappears.

The event log of the Windows server logs (freely translated to English from
German GUI):

Subject:
- Security ID: NULL
- Account Name: -
- Account Domain: -
- Login ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
- Security ID: NULL SID
- Account Name: myusername
- Account Domain: ad.mydomain.local
Failure Information:
- Failure Reason: An error happened at login.
- Status: 0xC000018D
- Sub Status: 0x0
Process Information:
- Caller Process ID: 0x0
- Caller Process Name: -
Network Information:
- Workstation Name: laptop07
- Source Network Address: 10.10.10.7
- Source Port: 0
Detailed Authentication Information:
- Logon Process: NtLmSsp
- Authentication Package: NTLM
- Transited Services: -
- Package Name (NTLM only): -
- Key Length: 0

According to MS[1], the error status means:
0xC000018D
STATUS_TRUSTED_RELATIONSHIP_FAILURE
"The logon request failed because the trust relationship between this
workstation and the primary domain failed."

I've already rejoined the Windows Server into the domain but the problem
persists.

What steps would you take to investigate the issue? 

Can I check something on the Windows Server (diagnosis information about AD join
status??) or enable certain logging on the Samba AD DC?

Yours,
Reg

[1]:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55?redirectedfrom=MSDN

On 13.08.2025 15:57, Reg via samba wrote:
> Hi there,
>
> At the moment I'm trying to solve a problem with a Windows Server 2022
that is to be used as a Remote Desktop Services (RDS) host.
> We have a Samba AD DC and a file server (both Debian Linux) and some client
machines. That's been working fine for some years.
>
> Now there's also one Windows Server 2022 Standard which is freshly set
up and joined to the Samba AD. A RDS license pack (per-user) has been setup and
is shown correctly.
>
> Using the Samba Domain Administrator account I can login interactively
(locally or through ILO remote console).
> Then I can browse to the file server (different Samba/Linux machine) and
access all of its shares without login prompt as I'd expect.
>
> But when we try to login through Remmina and RDP, the login does not
succeed (no login screen shown) and the Remmina login prompt reappears.
>
> The event log of the Windows server logs (freely translated to English from
German GUI):
>
> Subject:
> - Security ID: NULL
> - Account Name: -
> - Account Domain: -
> - Login ID: 0x0
> Logon Type: 3
> Account For Which Logon Failed:
> - Security ID: NULL SID
> - Account Name: myusername
> - Account Domain: ad.mydomain.local
> Failure Information:
> - Failure Reason: An error happened at login.
> - Status: 0xC000018D
> - Sub Status: 0x0
> Process Information:
> - Caller Process ID: 0x0
> - Caller Process Name: -
> Network Information:
> - Workstation Name: laptop07
> - Source Network Address: 10.10.10.7
> - Source Port: 0
> Detailed Authentication Information:
> - Logon Process: NtLmSsp
> - Authentication Package: NTLM
> - Transited Services: -
> - Package Name (NTLM only): -
> - Key Length: 0
>
> According to MS[1], the error status means:
> 0xC000018D
> STATUS_TRUSTED_RELATIONSHIP_FAILURE
> "The logon request failed because the trust relationship between this
workstation and the primary domain failed."
>
> I've already rejoined the Windows Server into the domain but the
problem persists.
>
> What steps would you take to investigate the issue?
>
> Can I check something on the Windows Server (diagnosis information about AD
join status??) or enable certain logging on the Samba AD DC?
>
> Yours,
> Reg
>
> [1]:
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55?redirectedfrom=MSDN
>
>
Hi Reg,

I'm using a similar setup many times daily, and the problem is probably 
the RDP client command line. I'm using xfreerdp3 in debian 12, and it 
was very tricky to get it working, after Debian backports had migrated 
from FreeRDP 2 to FreeRDP 3. Unfortunately, the FreeRDP documentation is 
not very helpful. Install the package freerdp3-x11 from Debian 12 
backports and try the following command line:

xfreerdp3 /v:<server address> /f /fonts /d:<domain> /u:<user> 
+decorations /disp /dynamic-resolution +aero /bpp:32 /menu-anims /sec:nla

If you log in to a Linux box with xrdp, just remove the /sec:nla. If 
it's a local user on the server, skip the domain. You can further tweak 
the command for Remote FX and other fancy stuff.

Best regards,

Peter

On Wed, 13 Aug 2025 13:57:15 +0000
Reg via samba <samba at lists.samba.org> wrote:
> Hi there, 
> 
> At the moment I'm trying to solve a problem with a Windows Server
> 2022 that is to be used as a Remote Desktop Services (RDS) host. We
> have a Samba AD DC and a file server (both Debian Linux) and some
> client machines. That's been working fine for some years. 
> 
> Now there's also one Windows Server 2022 Standard which is freshly
> set up and joined to the Samba AD. A RDS license pack (per-user) has
> been setup and is shown correctly. 
How is it joined ?
As a domain member or something else ?
> 
> Using the Samba Domain Administrator account I can login
> interactively (locally or through ILO remote console). Then I can
> browse to the file server (different Samba/Linux machine) and access
> all of its shares without login prompt as I'd expect.
> 
> But when we try to login through Remmina and RDP, the login does not
> succeed (no login screen shown) and the Remmina login prompt
> reappears.
> 
> The event log of the Windows server logs (freely translated to
> English from German GUI):
> 
> Subject:
> - Security ID: NULL
> - Account Name: -
> - Account Domain: -
> - Login ID: 0x0
> Logon Type: 3
> Account For Which Logon Failed:
> - Security ID: NULL SID
> - Account Name: myusername
> - Account Domain: ad.mydomain.local
> Failure Information:
> - Failure Reason: An error happened at login.
> - Status: 0xC000018D
> - Sub Status: 0x0
> Process Information:
> - Caller Process ID: 0x0
> - Caller Process Name: -
> Network Information:
> - Workstation Name: laptop07
> - Source Network Address: 10.10.10.7
> - Source Port: 0
> Detailed Authentication Information:
> - Logon Process: NtLmSsp
> - Authentication Package: NTLM
> - Transited Services: -
> - Package Name (NTLM only): -
> - Key Length: 0
> 
> According to MS[1], the error status means:
> 0xC000018D
> STATUS_TRUSTED_RELATIONSHIP_FAILURE
> "The logon request failed because the trust relationship between this
> workstation and the primary domain failed."
> 
> I've already rejoined the Windows Server into the domain but the
> problem persists.
Have you tried rejoining the client ?

Rowland

On 13/08/2025 15.57, Reg via samba wrote:
> At the moment I'm trying to solve a problem with a Windows Server 2022
that is to be used as a Remote Desktop Services (RDS) host.
> We have a Samba AD DC and a file server (both Debian Linux) and some client
machines. That's been working fine for some years.
> 0xC000018D
> STATUS_TRUSTED_RELATIONSHIP_FAILURE
> "The logon request failed because the trust relationship between this
workstation and the primary domain failed."
This totally looks like the old trust relationship failure of Samba pre 4.17
with windows 10 clients.

https://bugzilla.samba.org/show_bug.cgi?id=15418#c25
https://www.reddit.com/r/sysadmin/comments/14xmkw6/for_people_using_samba_and_windows_10_latest/


The client could join the domain, access shares, work normally, but network
level auth for RDP failed.

Which version of Samba are you running on the DC?


-- 
Fabio Muzzi Frabetti

  Consulenza informatica
  Sistemi Linux - Sicurezza informatica - Sistemi VoIP