search for: sam_failtrusts

...t it just works): map untrusted to domain = No This option is no longer available in the new samba. Another suggested solution, also not available in the new samba: As a workaround the following option can be set on all Samba AD/DCs of the domain: auth methods = anonymous sam winbind_rodc sam_failtrusts sam_ignoredomain Is there any way I can get this work with the new version or am I forced to compile 3.x to get this feature back?

Am 22.01.2018 um 21:39 schrieb Andrew Bartlett: > On Mon, 2018-01-22 at 21:30 +0100, Johannes Engel via samba wrote: >> [2018/01/22 21:15:50.022197, 2] >> ../source4/auth/ntlm/auth.c:475(auth_check_password_recv) >> auth_check_password_recv: sam_failtrusts authentication for user >> [MYDOMAIN\ldap] FAILED with error NT_STATUS_NO_TRUST_LSA_SECRET, >> authoritative=1 > Hmm. Are you sure the RODC's join to the domain is all OK? Certainly to me it looks ok: Finding a writeable DC for domain 'my.domain.com' Found DC dc.my.doma...

...bcli/nbt/lmhosts.c:184(resolve_lmhosts_file_as_sockaddr)   resolve_lmhosts: Attempting lmhosts lookup for name ef201f76-caaa-40b7-9ff2-41b4790dcf4d._msdcs.my.domain.com<0x20> [2018/01/22 21:15:50.022197,  2] ../source4/auth/ntlm/auth.c:475(auth_check_password_recv)   auth_check_password_recv: sam_failtrusts authentication for user [MYDOMAIN\ldap] FAILED with error NT_STATUS_NO_TRUST_LSA_SECRET, authoritative=1 [2018/01/22 21:15:50.026733,  2] ../auth/auth_log.c:760(log_authentication_event_human_readable)   Auth: [LDAP,simple bind] user [(null)]\[cn=LDAP,cn=Users,dc=my,dc=domain,dc=com] at [Mon, 22 Ja...

...rote: > Am 22.01.2018 um 21:39 schrieb Andrew Bartlett: > > On Mon, 2018-01-22 at 21:30 +0100, Johannes Engel via samba wrote: > > > [2018/01/22 21:15:50.022197, 2] > > > ../source4/auth/ntlm/auth.c:475(auth_check_password_recv) > > > auth_check_password_recv: sam_failtrusts authentication for user > > > [MYDOMAIN\ldap] FAILED with error NT_STATUS_NO_TRUST_LSA_SECRET, > > > authoritative=1 > > > > Hmm. Are you sure the RODC's join to the domain is all OK? > > Certainly to me it looks ok: .. > Any thoughts? > Best regar...

...= No > > This option is no longer available in the new samba. > > > Another suggested solution, also not available in the new samba: > > As a workaround the following option can be set on all Samba AD/DCs of > the domain: > > ?auth methods = anonymous sam winbind_rodc sam_failtrusts > sam_ignoredomain > > > Is there any way I can get this work with the new version or am I > forced to compile 3.x to get this feature back? > > I don't think that is your problem, it is more likely to be the password, try adding these lines: lanman auth = Yes client la...

...sword_send) auth_check_password_send: Checking password for unmapped user [TRUSTING]\[ABNORMAL$]@[ABNORMAL] auth_check_password_send: user is: [TRUSTING]\[ABNORMAL$]@[ABNORMAL] [2017/12/29 12:02:33.092876, 2] ../source4/auth/ntlm/auth.c:475(auth_check_password_recv) auth_check_password_recv: sam_failtrusts authentication for user [TRUSTING\ABNORMAL$] FAILED with error NT_STATUS_NO_TRUST_LSA_SECRET, authoritative=1 [2017/12/29 12:02:33.093003, 2] ../auth/auth_log.c:760(log_authentication_event_human_readable) Auth: [SMB2,NTLMSSP] user [TRUSTING]\[ABNORMAL$] at [ven, 29 dic 2017 12:02:33.092978 CET]...

...ger available in the new samba. >> >> >> Another suggested solution, also not available in the new samba: >> >> As a workaround the following option can be set on all Samba AD/DCs of >> the domain: >> >> ?auth methods = anonymous sam winbind_rodc sam_failtrusts >> sam_ignoredomain >> >> >> Is there any way I can get this work with the new version or am I >> forced to compile 3.x to get this feature back? >> >> > I don't think that is your problem, it is more likely to be the > password, try adding...

Hi Andrew, I am deeply impressed by your speed! :D The RODC is actually Samba 4.7.4, the other DCs are still on 4.6.12. Any suggestion how I can debug this w/o setting everything on level 10? ;) Best regards Johannes Am 22.01.2018 um 20:45 schrieb Andrew Bartlett: > On Mon, 2018-01-22 at 20:36 +0100, Johannes Engel via samba wrote: >> Dear all, >> >> setting up a DMZ