Samba NT_STATUS_NO_TRUST_SAM_ACCOUNT
Clash Royale CLAN TAG#URR8PPP
for a project we have several samba shares configured as following:
[global]
workgroup = <domain name>
netbios name = <machine name>
passdb backend = tdbsam
security = ads
encrypt passwords = yes
realm = <fully qualified domain>
password server = <ldap server ip>
[Share1]
path = <path>
......
The idea is that users connecting will be authenticated by the ldap server and every file written by them will be owned by a linux user with the same name. Apart from SAMBA the linux machine doesn't use ldap for anything else.
Everything worked as expected, until something changed on the ldap server and we are now getting the NT_STATUS_NO_TRUST_SAM_ACCOUNT error. We are tying to comunicate with the ldap team but seeing that every other Active Directory authentication works we expect it will be our responsibility to change the samba configuration accordingly -_-"
The guides I see around are pretty much all focused on installing and using an OpenLDAP server on the linux machine, which we don't need, or configuring linux authentication to use LDAP users internally or do complex mappings other than the username, which we also do not need.
We are using samba 4.2, and it is known that upgrading to a more recent version didn't work with the above configuration (even before the ldap server changes).
Are you aware of any other (maybe more correct) way to configure samba to have the requested behavior? What we need is just the LDAP server answering "user auth ok", no user mapping, no machine in the domain, no complex configuration.
samba ldap
edited May 2 '16 at 9:39
Jeff Schaller
41.2k1056131
asked May 2 '16 at 9:21
capitano666capitano666
13118
add a comment |
for a project we have several samba shares configured as following:
[global]
workgroup = <domain name>
netbios name = <machine name>
passdb backend = tdbsam
security = ads
encrypt passwords = yes
realm = <fully qualified domain>
password server = <ldap server ip>
[Share1]
path = <path>
......
The idea is that users connecting will be authenticated by the ldap server and every file written by them will be owned by a linux user with the same name. Apart from SAMBA the linux machine doesn't use ldap for anything else.
Everything worked as expected, until something changed on the ldap server and we are now getting the NT_STATUS_NO_TRUST_SAM_ACCOUNT error. We are tying to comunicate with the ldap team but seeing that every other Active Directory authentication works we expect it will be our responsibility to change the samba configuration accordingly -_-"
The guides I see around are pretty much all focused on installing and using an OpenLDAP server on the linux machine, which we don't need, or configuring linux authentication to use LDAP users internally or do complex mappings other than the username, which we also do not need.
We are using samba 4.2, and it is known that upgrading to a more recent version didn't work with the above configuration (even before the ldap server changes).
Are you aware of any other (maybe more correct) way to configure samba to have the requested behavior? What we need is just the LDAP server answering "user auth ok", no user mapping, no machine in the domain, no complex configuration.
samba ldap
edited May 2 '16 at 9:39
Jeff Schaller
41.2k1056131
asked May 2 '16 at 9:21
capitano666capitano666
13118
does your samba box added to the NT domain using the NT Server Manager ?
– Rahul
May 2 '16 at 9:29
add a comment |
for a project we have several samba shares configured as following:
[global]
workgroup = <domain name>
netbios name = <machine name>
passdb backend = tdbsam
security = ads
encrypt passwords = yes
realm = <fully qualified domain>
password server = <ldap server ip>
[Share1]
path = <path>
......
The idea is that users connecting will be authenticated by the ldap server and every file written by them will be owned by a linux user with the same name. Apart from SAMBA the linux machine doesn't use ldap for anything else.
Everything worked as expected, until something changed on the ldap server and we are now getting the NT_STATUS_NO_TRUST_SAM_ACCOUNT error. We are tying to comunicate with the ldap team but seeing that every other Active Directory authentication works we expect it will be our responsibility to change the samba configuration accordingly -_-"
The guides I see around are pretty much all focused on installing and using an OpenLDAP server on the linux machine, which we don't need, or configuring linux authentication to use LDAP users internally or do complex mappings other than the username, which we also do not need.
We are using samba 4.2, and it is known that upgrading to a more recent version didn't work with the above configuration (even before the ldap server changes).
Are you aware of any other (maybe more correct) way to configure samba to have the requested behavior? What we need is just the LDAP server answering "user auth ok", no user mapping, no machine in the domain, no complex configuration.
samba ldap
edited May 2 '16 at 9:39
Jeff Schaller
41.2k1056131
asked May 2 '16 at 9:21
capitano666capitano666
13118
for a project we have several samba shares configured as following:
[global]
workgroup = <domain name>
netbios name = <machine name>
passdb backend = tdbsam
security = ads
encrypt passwords = yes
realm = <fully qualified domain>
password server = <ldap server ip>
[Share1]
path = <path>
......
The idea is that users connecting will be authenticated by the ldap server and every file written by them will be owned by a linux user with the same name. Apart from SAMBA the linux machine doesn't use ldap for anything else.
Everything worked as expected, until something changed on the ldap server and we are now getting the NT_STATUS_NO_TRUST_SAM_ACCOUNT error. We are tying to comunicate with the ldap team but seeing that every other Active Directory authentication works we expect it will be our responsibility to change the samba configuration accordingly -_-"
The guides I see around are pretty much all focused on installing and using an OpenLDAP server on the linux machine, which we don't need, or configuring linux authentication to use LDAP users internally or do complex mappings other than the username, which we also do not need.
We are using samba 4.2, and it is known that upgrading to a more recent version didn't work with the above configuration (even before the ldap server changes).
Are you aware of any other (maybe more correct) way to configure samba to have the requested behavior? What we need is just the LDAP server answering "user auth ok", no user mapping, no machine in the domain, no complex configuration.
samba ldap
samba ldap
edited May 2 '16 at 9:39
Jeff Schaller
41.2k1056131
asked May 2 '16 at 9:21
capitano666capitano666
13118
edited May 2 '16 at 9:39
Jeff Schaller
41.2k1056131
asked May 2 '16 at 9:21
capitano666capitano666
13118
edited May 2 '16 at 9:39
Jeff Schaller
41.2k1056131
edited May 2 '16 at 9:39
Jeff Schaller
41.2k1056131
edited May 2 '16 at 9:39
Jeff Schaller
41.2k1056131
41.2k1056131
asked May 2 '16 at 9:21
capitano666capitano666
13118
asked May 2 '16 at 9:21
capitano666capitano666
13118
asked May 2 '16 at 9:21
capitano666capitano666
13118
13118
does your samba box added to the NT domain using the NT Server Manager ?
– Rahul
May 2 '16 at 9:29
add a comment |
does your samba box added to the NT domain using the NT Server Manager ?
– Rahul
May 2 '16 at 9:29
does your samba box added to the NT domain using the NT Server Manager ?
– Rahul
May 2 '16 at 9:29
does your samba box added to the NT domain using the NT Server Manager ?
– Rahul
May 2 '16 at 9:29
add a comment |
1 Answer
1
active
oldest
votes
When you become the member of a domain (such as is necessary for 'security = ads'), a machine account for your server is created in the directory. Your server uses this account for accessing the resources in the domain.
NT_STATUS_NO_TRUST_SAM_ACCOUNT suggests that your machine is having trouble using its machine account (its credentials might have been invalidated for some reason). Leaving the domain and joining it again ("net ads join") should fix this.
Older versions of Samba supported forwarding authentication to a remote server without being a domain member, but AFAICT this no longer exists.
answered Jul 2 '17 at 14:47
jelmerjelmer
1214
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f280535%2fsamba-nt-status-no-trust-sam-account%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
When you become the member of a domain (such as is necessary for 'security = ads'), a machine account for your server is created in the directory. Your server uses this account for accessing the resources in the domain.
NT_STATUS_NO_TRUST_SAM_ACCOUNT suggests that your machine is having trouble using its machine account (its credentials might have been invalidated for some reason). Leaving the domain and joining it again ("net ads join") should fix this.
Older versions of Samba supported forwarding authentication to a remote server without being a domain member, but AFAICT this no longer exists.
answered Jul 2 '17 at 14:47
jelmerjelmer
1214
add a comment |
When you become the member of a domain (such as is necessary for 'security = ads'), a machine account for your server is created in the directory. Your server uses this account for accessing the resources in the domain.
NT_STATUS_NO_TRUST_SAM_ACCOUNT suggests that your machine is having trouble using its machine account (its credentials might have been invalidated for some reason). Leaving the domain and joining it again ("net ads join") should fix this.
Older versions of Samba supported forwarding authentication to a remote server without being a domain member, but AFAICT this no longer exists.
answered Jul 2 '17 at 14:47
jelmerjelmer
1214
add a comment |
When you become the member of a domain (such as is necessary for 'security = ads'), a machine account for your server is created in the directory. Your server uses this account for accessing the resources in the domain.
NT_STATUS_NO_TRUST_SAM_ACCOUNT suggests that your machine is having trouble using its machine account (its credentials might have been invalidated for some reason). Leaving the domain and joining it again ("net ads join") should fix this.
Older versions of Samba supported forwarding authentication to a remote server without being a domain member, but AFAICT this no longer exists.
answered Jul 2 '17 at 14:47
jelmerjelmer
1214
When you become the member of a domain (such as is necessary for 'security = ads'), a machine account for your server is created in the directory. Your server uses this account for accessing the resources in the domain.
NT_STATUS_NO_TRUST_SAM_ACCOUNT suggests that your machine is having trouble using its machine account (its credentials might have been invalidated for some reason). Leaving the domain and joining it again ("net ads join") should fix this.
Older versions of Samba supported forwarding authentication to a remote server without being a domain member, but AFAICT this no longer exists.
answered Jul 2 '17 at 14:47
jelmerjelmer
1214
answered Jul 2 '17 at 14:47
jelmerjelmer
1214
answered Jul 2 '17 at 14:47
jelmerjelmer
1214
answered Jul 2 '17 at 14:47
jelmerjelmer
1214
1214
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f280535%2fsamba-nt-status-no-trust-sam-account%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
does your samba box added to the NT domain using the NT Server Manager ?
– Rahul
May 2 '16 at 9:29