[Samba] Samba Active Directory NT_STATUS_ACCESS_DENIED - expired?
Andrew Bartlett
abartlet at samba.org
Tue Jan 31 09:25:11 GMT 2006
On Wed, 2006-01-25 at 11:42 +0100, Andreas Unterkircher wrote:
> Hello list,
>
> I'm using several samba server (mix between v2.2 and v3.0 versions)
> within an Active Directory domain. These servers are normal domain
> members and winbind is used to lookup the domain users on the linux
> machines.
>
> Sometimes it looks like that some of the servers get kicked out of the
> domain. In the samba logs suddenly NT_STATUS_ACCESS_DENIED messages
> appear and samba stopps authenticate users against domain.
>
> The computer account is still present in Active Directory. I've check
> if the account has expired but it's expired time is far away
> (9223372036854775807, in 2038 ...). The account is neither inactive,
> disabled or locked out.
>
> When I try to rejoin on the existing computer account (smbpasswd -j,
> net join) it works on samba side but in the domain controllers event
> log I see some of the following errors:
>
> The session setup from the computer SRV-MFM-30 failed to authenticate.
> The name of the account referenced in the security database is
> SRV-MFM-30$. The following error occurred: Access is denied.
>
> I have to remove the computer object and join the domain again. Then
> everything works again (for some time).
>
> This happens with security=domain (rpc) and also with security=ads
> (ldap,kdc,...). The timeframe ist mostly 2 or 3 months.
>
> Anyone has a clue what can cause this or encountered similar problems?
Password expiry is configured from group or domain policy, not a value
on the entry. The command 'net ads changetrustpw' should fix it.
We should handle this automatically, but don't (please file a bug, if
there isn't one already).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20060131/e057bd01/attachment.bin
More information about the samba
mailing list