Samba NT_STATUS_NO_TRUST_SAM_ACCOUNT

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












1















for a project we have several samba shares configured as following:



[global]
workgroup = <domain name>
netbios name = <machine name>
passdb backend = tdbsam
security = ads
encrypt passwords = yes
realm = <fully qualified domain>
password server = <ldap server ip>

[Share1]
path = <path>
......


The idea is that users connecting will be authenticated by the ldap server and every file written by them will be owned by a linux user with the same name. Apart from SAMBA the linux machine doesn't use ldap for anything else.



Everything worked as expected, until something changed on the ldap server and we are now getting the NT_STATUS_NO_TRUST_SAM_ACCOUNT error. We are tying to comunicate with the ldap team but seeing that every other Active Directory authentication works we expect it will be our responsibility to change the samba configuration accordingly -_-"



The guides I see around are pretty much all focused on installing and using an OpenLDAP server on the linux machine, which we don't need, or configuring linux authentication to use LDAP users internally or do complex mappings other than the username, which we also do not need.



We are using samba 4.2, and it is known that upgrading to a more recent version didn't work with the above configuration (even before the ldap server changes).



Are you aware of any other (maybe more correct) way to configure samba to have the requested behavior? What we need is just the LDAP server answering "user auth ok", no user mapping, no machine in the domain, no complex configuration.










share|improve this question
























  • does your samba box added to the NT domain using the NT Server Manager ?

    – Rahul
    May 2 '16 at 9:29















1















for a project we have several samba shares configured as following:



[global]
workgroup = <domain name>
netbios name = <machine name>
passdb backend = tdbsam
security = ads
encrypt passwords = yes
realm = <fully qualified domain>
password server = <ldap server ip>

[Share1]
path = <path>
......


The idea is that users connecting will be authenticated by the ldap server and every file written by them will be owned by a linux user with the same name. Apart from SAMBA the linux machine doesn't use ldap for anything else.



Everything worked as expected, until something changed on the ldap server and we are now getting the NT_STATUS_NO_TRUST_SAM_ACCOUNT error. We are tying to comunicate with the ldap team but seeing that every other Active Directory authentication works we expect it will be our responsibility to change the samba configuration accordingly -_-"



The guides I see around are pretty much all focused on installing and using an OpenLDAP server on the linux machine, which we don't need, or configuring linux authentication to use LDAP users internally or do complex mappings other than the username, which we also do not need.



We are using samba 4.2, and it is known that upgrading to a more recent version didn't work with the above configuration (even before the ldap server changes).



Are you aware of any other (maybe more correct) way to configure samba to have the requested behavior? What we need is just the LDAP server answering "user auth ok", no user mapping, no machine in the domain, no complex configuration.










share|improve this question
























  • does your samba box added to the NT domain using the NT Server Manager ?

    – Rahul
    May 2 '16 at 9:29













1












1








1


1






for a project we have several samba shares configured as following:



[global]
workgroup = <domain name>
netbios name = <machine name>
passdb backend = tdbsam
security = ads
encrypt passwords = yes
realm = <fully qualified domain>
password server = <ldap server ip>

[Share1]
path = <path>
......


The idea is that users connecting will be authenticated by the ldap server and every file written by them will be owned by a linux user with the same name. Apart from SAMBA the linux machine doesn't use ldap for anything else.



Everything worked as expected, until something changed on the ldap server and we are now getting the NT_STATUS_NO_TRUST_SAM_ACCOUNT error. We are tying to comunicate with the ldap team but seeing that every other Active Directory authentication works we expect it will be our responsibility to change the samba configuration accordingly -_-"



The guides I see around are pretty much all focused on installing and using an OpenLDAP server on the linux machine, which we don't need, or configuring linux authentication to use LDAP users internally or do complex mappings other than the username, which we also do not need.



We are using samba 4.2, and it is known that upgrading to a more recent version didn't work with the above configuration (even before the ldap server changes).



Are you aware of any other (maybe more correct) way to configure samba to have the requested behavior? What we need is just the LDAP server answering "user auth ok", no user mapping, no machine in the domain, no complex configuration.










share|improve this question
















for a project we have several samba shares configured as following:



[global]
workgroup = <domain name>
netbios name = <machine name>
passdb backend = tdbsam
security = ads
encrypt passwords = yes
realm = <fully qualified domain>
password server = <ldap server ip>

[Share1]
path = <path>
......


The idea is that users connecting will be authenticated by the ldap server and every file written by them will be owned by a linux user with the same name. Apart from SAMBA the linux machine doesn't use ldap for anything else.



Everything worked as expected, until something changed on the ldap server and we are now getting the NT_STATUS_NO_TRUST_SAM_ACCOUNT error. We are tying to comunicate with the ldap team but seeing that every other Active Directory authentication works we expect it will be our responsibility to change the samba configuration accordingly -_-"



The guides I see around are pretty much all focused on installing and using an OpenLDAP server on the linux machine, which we don't need, or configuring linux authentication to use LDAP users internally or do complex mappings other than the username, which we also do not need.



We are using samba 4.2, and it is known that upgrading to a more recent version didn't work with the above configuration (even before the ldap server changes).



Are you aware of any other (maybe more correct) way to configure samba to have the requested behavior? What we need is just the LDAP server answering "user auth ok", no user mapping, no machine in the domain, no complex configuration.







samba ldap






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited May 2 '16 at 9:39









Jeff Schaller

41.2k1056131




41.2k1056131










asked May 2 '16 at 9:21









capitano666capitano666

13118




13118












  • does your samba box added to the NT domain using the NT Server Manager ?

    – Rahul
    May 2 '16 at 9:29

















  • does your samba box added to the NT domain using the NT Server Manager ?

    – Rahul
    May 2 '16 at 9:29
















does your samba box added to the NT domain using the NT Server Manager ?

– Rahul
May 2 '16 at 9:29





does your samba box added to the NT domain using the NT Server Manager ?

– Rahul
May 2 '16 at 9:29










1 Answer
1






active

oldest

votes


















0














When you become the member of a domain (such as is necessary for 'security = ads'), a machine account for your server is created in the directory. Your server uses this account for accessing the resources in the domain.



NT_STATUS_NO_TRUST_SAM_ACCOUNT suggests that your machine is having trouble using its machine account (its credentials might have been invalidated for some reason). Leaving the domain and joining it again ("net ads join") should fix this.



Older versions of Samba supported forwarding authentication to a remote server without being a domain member, but AFAICT this no longer exists.






share|improve this answer






















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f280535%2fsamba-nt-status-no-trust-sam-account%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    When you become the member of a domain (such as is necessary for 'security = ads'), a machine account for your server is created in the directory. Your server uses this account for accessing the resources in the domain.



    NT_STATUS_NO_TRUST_SAM_ACCOUNT suggests that your machine is having trouble using its machine account (its credentials might have been invalidated for some reason). Leaving the domain and joining it again ("net ads join") should fix this.



    Older versions of Samba supported forwarding authentication to a remote server without being a domain member, but AFAICT this no longer exists.






    share|improve this answer



























      0














      When you become the member of a domain (such as is necessary for 'security = ads'), a machine account for your server is created in the directory. Your server uses this account for accessing the resources in the domain.



      NT_STATUS_NO_TRUST_SAM_ACCOUNT suggests that your machine is having trouble using its machine account (its credentials might have been invalidated for some reason). Leaving the domain and joining it again ("net ads join") should fix this.



      Older versions of Samba supported forwarding authentication to a remote server without being a domain member, but AFAICT this no longer exists.






      share|improve this answer

























        0












        0








        0







        When you become the member of a domain (such as is necessary for 'security = ads'), a machine account for your server is created in the directory. Your server uses this account for accessing the resources in the domain.



        NT_STATUS_NO_TRUST_SAM_ACCOUNT suggests that your machine is having trouble using its machine account (its credentials might have been invalidated for some reason). Leaving the domain and joining it again ("net ads join") should fix this.



        Older versions of Samba supported forwarding authentication to a remote server without being a domain member, but AFAICT this no longer exists.






        share|improve this answer













        When you become the member of a domain (such as is necessary for 'security = ads'), a machine account for your server is created in the directory. Your server uses this account for accessing the resources in the domain.



        NT_STATUS_NO_TRUST_SAM_ACCOUNT suggests that your machine is having trouble using its machine account (its credentials might have been invalidated for some reason). Leaving the domain and joining it again ("net ads join") should fix this.



        Older versions of Samba supported forwarding authentication to a remote server without being a domain member, but AFAICT this no longer exists.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Jul 2 '17 at 14:47









        jelmerjelmer

        1214




        1214



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f280535%2fsamba-nt-status-no-trust-sam-account%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?