Samba domain trust errors on a specific interface

Question

We have a windows domain that also has a RHEL member server in it. All the servers have a primary network connection to the LAN, but some servers also have private dedicated links to the RHEL server, which serves as a head to our SAN storage.

This particular server is running Samba 3.5.15, and is running in ADS authentication mode.

Users can access shares on this server without a problem over the LAN connection from our Windows servers, but if a user tries to access the shares over the private link (i.e. a 192.168.1.2 address to the RHEL server) users get an error "The trust relationship between this workstation and the primary domain failed."

When I watch the logs, I get a lot of errors that you'll see everywhere online - one of those situations where nothing fits my situation specifically. Nonetheless here they are, maybe someone will see something I don't:

I get these two errors together three times:

Failed to get schannel session key from server DC for domain DOMAIN

connect_to_domain_password_server: unable to open the domain client session to machine DC - NT_STATUS_ACCESS_DENIED

Then I get these two errors:

domain_client_validate: Domain password server not available

check_ntlm_password: Authentication for user <the user trying to access the share> FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE

This set of errors then repeates three times each for each access attempt.

Univ426 · Accepted Answer · 2012-06-08T20:29:40.843

This may be a highly specific case, and I wish I had a better answer, but I spent a few more hours on this today, and noticed Winbind was turned off. I know winbind was running in the past, as I was getting successful authentications with wbinfo -a. At that time we were still unable to access Samba over private links.

Regardless, after turning Winbind back on, the private links magically started working. Sure enough turning it back off broke them again.

The entire time, though, I was able to access shares over the main LAN connection. I'll still give 50 points to anyone who can explain why that is :D

score 0 · Answer 2 · answered Jun 10 '12 at 16:29

0

As Active Directory is using Kerberos for authentication, it sounds like the errors might be related to the reverse name of the private IP not matching the name that your RHEL server joined the domain with. If you set the reverse DNS of 192.168.1.2 to match the hostname of the server, you may solve your problems.

answered Jun 10 '12 at 16:29

chutz

7,569
1
28
57

Thanks for the advice chutz, I'll give it a try this afternoon. – Univ426 Jun 11 '12 at 16:37
Well, I took a look, and it appears we already had reverse records for these private links in the DNS tables :S – Univ426 Jun 14 '12 at 19:10

Samba domain trust errors on a specific interface

2 Answers2