the problem cause could be kerberos clock skew "kerberos server time vs. and machines time"
On Thu, May 28, 2009 at 11:12 AM, Masopust, Christian <christian.masop...@siemens.com> wrote: > Dear all, > > I've a real strange problem with one of my Samba-servers. Most of the time a > lot of users get the message > about "trust relationship failure" when trying to access the share on this > server. Below you find part of a log > where the user can access the share and a few seconds later it's no longer > possible. "net ads testjoin" shows > that join of the samba-server is still valid, removing and rejoining the > server from AD didn't help. > > Some additional information: > - samba-server and users facing this problem are located on a remote site > (with its own DC) > - access to another samba-server at the remote site for users facing the > problem works at any time! > - access to the share on the samba-server having the problems from my site > (different DC) works at any time! > > > [2009/05/28 10:49:57, 1, pid=31019, effective(0, 0), real(0, 0)] > smbd/sesssetup.c:reply_spnego_kerberos(474) > Username WW300\SK16963C$ is invalid on this system > [2009/05/28 10:49:57, 1, pid=31019, effective(0, 0), real(0, 0)] > smbd/session.c:session_claim(112) > Re-using invalid record > [2009/05/28 10:49:57, 1, pid=31019, effective(51043, 2700), real(0, 0)] > smbd/service.c:make_connection_snum(1111) > sk16963c (::ffff:163.242.60.65) connect to service views_copl initially as > user sk1u04w8 (uid=51043, gid=2700) (pid 31019) > [2009/05/28 10:50:06, 1, pid=31019, effective(0, 0), real(0, 0)] > smbd/service.c:close_cnum(1323) > sk16963c (::ffff:163.242.60.65) closed connection to service views_copl > [2009/05/28 10:50:07, 0, pid=31024, effective(0, 0), real(0, 0)] > rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(3352) > cli_rpc_pipe_open_schannel: failed to get schannel session key from server > SKZAAM100A.WW300.SIEMENS.NET for domain WW300. > [2009/05/28 10:50:07, 0, pid=31024, effective(0, 0), real(0, 0)] > auth/auth_domain.c:connect_to_domain_password_server(187) > connect_to_domain_password_server: unable to open the domain client session > to machine SKZAAM100A.WW300.SIEMENS.NET. Error was : NT_STATUS_ACCESS_DENIED. > [2009/05/28 10:50:07, 0, pid=31024, effective(0, 0), real(0, 0)] > rpc_client/cli_pipe.c:cli_rpc_pipe_open_schannel(3352) > cli_rpc_pipe_open_schannel: failed to get schannel session key from server > SKZAAM100A.WW300.SIEMENS.NET for domain WW300. > [2009/05/28 10:50:07, 0, pid=31024, effective(0, 0), real(0, 0)] > auth/auth_domain.c:connect_to_domain_password_server(187) > connect_to_domain_password_server: unable to open the domain client session > to machine SKZAAM100A.WW300.SIEMENS.NET. Error was : NT_STATUS_ACCESS_DENIED. > > any idea what can cause this problem? > > thanks a lot, > christian > > p.s.: here's the global-section of my smb.conf > > # Global parameters > [global] > workgroup = WW300 > netbios name = SK16822C > server string = Samba %v CC-View-Server > security = ADS > realm = WW300.SIEMENS.NET > password server = * > client use spnego = yes > username map = /etc/samba/smbusers > smb ports = 139 > log file = /var/log/samba/log.%m > debug pid = Yes > debug uid = Yes > name resolve order = host wins bcast > deadtime = 15 > machine password timeout = 0 > os level = 0 > preferred master = No > local master = No > domain master = No > browse list = No > dns proxy = No > wins support = No > wins server = <ip-of wins-server> > ldap ssl = no > eventlog list = Security, Application, Syslog, Apache > utmp = Yes > idmap uid = 200000-230000 > idmap gid = 50000-60000 > template homedir = /home/%U > template shell = /bin/bash > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > hide dot files = No > dos filetime resolution = Yes > fake directory create times = Yes > host msdfs = no > msdfs root = no > load printers = no > printing = bsd > browsable = no > restrict anonymous = 2 > null passwords = no > guest account = nobody > kernel oplocks = No > oplocks =No > level2 oplocks = No > > > > > ___________________________________________________________ > > Christian Masopust > > SIEMENS AG SIS SDE SVI CON IPB > Tel: +43 (0) 5 1707 26866 > E-mail: christian.masop...@siemens.com > Addr: Austria, 1210 Vienna, Siemensstraße 90-92, B. 33, Rm. 243 > > Leader of the RUGA <http://www.rational-ug.org/groups.php?groupid=119> > > Firma: Siemens Aktiengesellschaft Österreich, Rechtsform: > Aktiengesellschaft, > Sitz: Wien, Firmenbuchnummer: FN 60562 m, > Firmenbuchgericht: Handelsgericht Wien, DVR 0001708 > ___________________________________________________________ > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
