I'm trying to connect to SMB share which is set up on AD integrated CentOS 7 server from non domain joined PC using net use and the connection is failing with error "The trust relationship between this workstation and the primary domain failed". That error comes up no matter how I input username into login box for share (e.g. username, domain\username, domain.com\username or username@domain.com). It also doesn't matter what OS is on non domain computer. I get the same result on Win XP, 7, 10 as long as machine is not joined to domain.
Connecting to that same share from AD joined PC, using same credentials, works flawlessly.
Version of Samba running on server is 4.4.4, AD integration is made using SSSD.
Samba config:
[global]
workgroup = DOMAIN
server string = Samba srv ver %v
max protocol = SMB3
map untrusted to domain = Yes
# Log...
log file = /var/log/samba/%m.log
max log size = 50
log level = 3
security = ads
encrypt passwords = yes
passdb backend = tdbsam
realm = DOMAIN.COM
create mode = 644
directory mode = 755
default case = lower
hide dot files = true
unix extensions = no
allow insecure wide links = yes
follow symlinks = yes
#printers
load printers = yes
cups options = raw
printcap name = /etc/printcap
printing = cups
#Test share:
[share]
comment = Test Share
path = /var/test
public = no
writable = true
guest ok = no
#user1 is domain user (OK from domain join PC, NOK from workgrp PC)
valid users = @"domain users@domain.com" user1
sssd.conf:
[sssd]
domains = domain.com
config_file_version = 2
services = nss, pam, ifp
[domain/domain.com]
ad_domain = domain.com
auth_provider = ad
krb5_realm = DOMAIN.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%d/%u
access_provider = ad
SMB log for connection attempt from non domain PC:
[2017/05/01 14:24:37.300092, 3] ../source3/smbd/oplock.c:1310(init_oplocks)
init_oplocks: initializing messages.
[2017/05/01 14:24:37.300280, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 108 (0 toread)
[2017/05/01 14:24:37.300412, 3] ../source3/smbd/smb2_negprot.c:278(smbd_smb2_request_process_negprot)
Selected protocol SMB2_10
[2017/05/01 14:24:37.440766, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0xe2088297
[2017/05/01 14:24:37.442468, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[user1] domain=[domain] workstation=[3060-W7U-502292] len1=24 len2=302
[2017/05/01 14:24:37.442527, 3] ../source3/param/loadparm.c:3742(lp_load_ex)
lp_load_ex: refreshing parameters
[2017/05/01 14:24:37.442579, 3] ../source3/param/loadparm.c:544(init_globals)
Initialising global parameters
[2017/05/01 14:24:37.442659, 3] ../source3/param/loadparm.c:2671(lp_do_section)
Processing section "[global]"
[2017/05/01 14:24:37.442795, 2] ../source3/param/loadparm.c:2688(lp_do_section)
Processing section "[share]"
[2017/05/01 14:24:37.444445, 3] ../source3/param/loadparm.c:1588(lp_add_ipc)
adding IPC service
[2017/05/01 14:24:37.444605, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "DC1.domain.com, *"
[2017/05/01 14:24:37.445186, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 192.168.1.10
[2017/05/01 14:24:37.445226, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "DC1.domain.com, *"
[2017/05/01 14:24:37.445530, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "DC1.domain.com, *"
[2017/05/01 14:24:37.547935, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 192.168.1.10 at port 445
[2017/05/01 14:24:37.548715, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2017/05/01 14:24:37.548759, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2017/05/01 14:24:37.548775, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2017/05/01 14:24:37.549680, 3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2017/05/01 14:24:37.549699, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2017/05/01 14:24:37.549746, 3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2017/05/01 14:24:37.549783, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.549797, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/05/01 14:24:37.549805, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.550315, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/05/01 14:24:37.550329, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.550983, 3] ../source3/auth/auth.c:178(auth_check_ntlm_password)
check_ntlm_password: Checking password for unmapped user [domain]\[user1]@[3060-W7U-502292] with the new password interface
[2017/05/01 14:24:37.551003, 3] ../source3/auth/auth.c:181(auth_check_ntlm_password)
check_ntlm_password: mapped user is: [domain]\[user1]@[3060-W7U-502292]
[2017/05/01 14:24:37.551080, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "DC1.domain.com, *"
[2017/05/01 14:24:37.551481, 3] ../source3/libads/ldap.c:618(ads_connect)
Successfully contacted LDAP server 192.168.1.10
[2017/05/01 14:24:37.551523, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "DC1.domain.com, *"
[2017/05/01 14:24:37.551777, 3] ../source3/libsmb/namequery.c:3117(get_dc_list)
get_dc_list: preferred server list: "DC1.domain.com, *"
[2017/05/01 14:24:37.653364, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 192.168.1.10 at port 445
[2017/05/01 14:24:37.654407, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2017/05/01 14:24:37.654448, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2017/05/01 14:24:37.654464, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2017/05/01 14:24:37.654937, 3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2017/05/01 14:24:37.654952, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2017/05/01 14:24:37.654990, 3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2017/05/01 14:24:37.655000, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.655009, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/05/01 14:24:37.655022, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.655515, 3] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: Access denied
[2017/05/01 14:24:37.656269, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 192.168.1.10 at port 445
[2017/05/01 14:24:37.658575, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2017/05/01 14:24:37.658613, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2017/05/01 14:24:37.658627, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2017/05/01 14:24:37.659571, 3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2017/05/01 14:24:37.659589, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2017/05/01 14:24:37.659625, 3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2017/05/01 14:24:37.659635, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.659643, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/05/01 14:24:37.659651, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.660838, 3] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: Access denied
[2017/05/01 14:24:37.661344, 3] ../source3/lib/util_sock.c:515(open_socket_out_send)
Connecting to 192.168.1.10 at port 445
[2017/05/01 14:24:37.662126, 3] ../source3/libsmb/cliconnect.c:1837(cli_session_setup_spnego_send)
Doing spnego session setup (blob length=120)
[2017/05/01 14:24:37.662164, 3] ../source3/libsmb/cliconnect.c:1864(cli_session_setup_spnego_send)
got OID=1.3.6.1.4.1.311.2.2.30
got OID=1.2.840.48018.1.2.2
got OID=1.2.840.113554.1.2.2
got OID=1.2.840.113554.1.2.2.3
got OID=1.3.6.1.4.1.311.2.2.10
[2017/05/01 14:24:37.662178, 3] ../source3/libsmb/cliconnect.c:1874(cli_session_setup_spnego_send)
got principal=not_defined_in_RFC4178@please_ignore
[2017/05/01 14:24:37.663428, 3] ../auth/ntlmssp/ntlmssp_client.c:270(ntlmssp_client_challenge)
Got challenge flags:
[2017/05/01 14:24:37.663445, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62898215
[2017/05/01 14:24:37.663473, 3] ../auth/ntlmssp/ntlmssp_client.c:726(ntlmssp_client_challenge)
NTLMSSP: Set final flags:
[2017/05/01 14:24:37.663482, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.663490, 3] ../auth/ntlmssp/ntlmssp_sign.c:509(ntlmssp_sign_reset)
NTLMSSP Sign/Seal - Initialising with flags:
[2017/05/01 14:24:37.663497, 3] ../auth/ntlmssp/ntlmssp_util.c:69(debug_ntlmssp_flags)
Got NTLMSSP neg_flags=0x62008a15
[2017/05/01 14:24:37.667426, 3] ../source3/libsmb/cliconnect.c:2216(cli_session_setup_done_spnego)
SPNEGO login failed: Access denied
[2017/05/01 14:24:37.667512, 0] ../source3/auth/auth_domain.c:184(domain_client_validate)
domain_client_validate: Domain password server not available.
[2017/05/01 14:24:37.667560, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
check_ntlm_password: Authentication for user [user1] -> [user1] FAILED with error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2017/05/01 14:24:37.667584, 2] ../auth/gensec/spnego.c:719(gensec_spnego_server_negTokenTarg)
SPNEGO login failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2017/05/01 14:24:37.667628, 3] ../source3/smbd/smb2_server.c:3098(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE] || at ../source3/smbd/smb2_sesssetup.c:134
[2017/05/01 14:24:37.668447, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
Best Answer
Issue is now partially resolved. On the DC we have configured option Network security: LAN Manager authentication level from "send NTLMv2 response only" to "Send LM & NTLM - use NTLMv2 session security if negotiated". However due to security problems with LM\NTLM I am not really fond of this solution. So if anyone can point out for better one, I'd be really, really grateful!