Hi all,
I've been having this issue with my configuration for ages, and I've just been working around the problem rather than fixing it.
I have a CentOS 6.8 server running sssd 1.13.3 and Samba 3.6.23.
The server is joined to an AD domain, I've tried using both adcli and "net ads", it doesn't seem to matter which one I use.
Initially both normal authentication and access to the server via Samba works with AD users, but after a certain period of time (it seems to be in the region of a month or two), Samba access to the server stops working.
Running smbclient on the server shows the problem as well as normal access from a Windows workstation, and smbclient says:
$ smbclient //myserver/johnb Enter johnb's password: session setup failed: NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
My workaround has been to rejoin the server to the domain, which clears the issue.
Any idea what could be causing this?
Obfuscated config files:
/etc/samba/smb.conf: [global] workgroup = AD password server = dc1.example.com dc2.example.com * realm = EXAMPLE.COM security = ads client signing = yes client use spnego = yes kerberos method = secrets and keytab
idmap config * : backend = tdb idmap config * : range = 10000 - 19999
/etc/sssd/sssd.conf: [sssd] config_file_version = 2 services = nss, pam, sudo domains = AD
[domain/AD] # Base configuration cache_credentials = True #debug_level = 9 #debug_level = 0x97e0 #debug_level = 0xfff0 debug_level = 4 dyndns_update = false id_provider = ad auth_provider = ad access_provider = ad chpass_provider = ad refresh_expired_interval = 4050
# AD specific options
ad_enable_dns_sites = true ad_server = _srv_,dc1.example.com,dc2.example.com ad_backup_server = example.com ad_domain = example.com
# ID mapping ldap_id_mapping = false
# Sudo ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
John
sssd-users@lists.fedorahosted.org