[Samba] intermittent NT_STATUS_ACCESS_DENIED

egold at fsa.com egold at fsa.com
Tue Sep 14 20:02:32 GMT 2004 




Im having an intermittent problem with samba.
Im running samba 3.0.2a on solaris 8 that i downloaded from sunfreeware.com
I have my smb.conf setup to get passwords from my active directory server
and it usually works fine.
I ran a net join command like so to originally join the domain:

root#  net join -S WIN2KSERVER -w MYDOMAIN.com -U Administrator
Password:

Joined domain MYDOMAIN.

It will run for days fine, but all of a sudden at random, users cannot
connect and I will get the following errors in my samba logs:

  smbd version 3.0.2a started.
  Copyright Andrew Tridgell and the Samba Team 1992-2004
[2004/09/14 15:03:40, 2] param/loadparm.c:do_section(3339)
  Processing section "[export]"
[2004/09/14 15:03:40, 2] lib/interface.c:add_interface(79)
  added interface ip=192.168.6.84 bcast=192.168.6.255 nmask=255.255.255.0
[2004/09/14 15:03:40, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
  Registered MSG_REQ_POOL_USAGE
[2004/09/14 15:03:40, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2004/09/14 15:03:40, 2] smbd/server.c:open_sockets_smbd(318)
  waiting for a connection
[2004/09/14 15:03:41, 2] lib/access.c:check_access(324)
  Allowed connection from  (192.168.21.144)
[2004/09/14 15:03:41, 2] smbd/reply.c:reply_special(105)
  netbios connect: name1=sunserver         name2=ACH2000
[2004/09/14 15:03:41, 2] smbd/reply.c:reply_special(112)
  netbios connect: local=sunserver remote=ach2000, name type = 0
[2004/09/14 15:03:41, 2] smbd/sesssetup.c:setup_new_vc_session(591)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/09/14 15:03:41, 2] smbd/sesssetup.c:setup_new_vc_session(591)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/09/14 15:03:41, 0]
auth/auth_domain.c:connect_to_domain_password_server(123)
  connect_to_domain_password_server: unable to setup the NETLOGON
credentials to machine WIN2KSERVER. Error was : NT_STATUS_ACCESS_DENIED.
[2004/09/14 15:03:41, 0]
auth/auth_domain.c:connect_to_domain_password_server(123)
  connect_to_domain_password_server: unable to setup the NETLOGON
credentials to machine WIN2KSERVER. Error was : NT_STATUS_ACCESS_DENIED.
[2004/09/14 15:03:41, 0]
auth/auth_domain.c:connect_to_domain_password_server(123)
  connect_to_domain_password_server: unable to setup the NETLOGON
credentials to machine WIN2KSERVER. Error was : NT_STATUS_ACCESS_DENIED.
[2004/09/14 15:03:41, 0]
auth/auth_domain.c:connect_to_domain_password_server(123)
  connect_to_domain_password_server: unable to setup the NETLOGON
credentials to machine WIN2KSERVER. Error was : NT_STATUS_ACCESS_DENIED.
[2004/09/14 15:03:41, 0] auth/auth_domain.c:domain_client_validate(175)
  domain_client_validate: Domain password server not available.
[2004/09/14 15:03:41, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [jfl] -> [jfl] FAILED with
error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2004/09/14 15:03:43, 2] smbd/sesssetup.c:setup_new_vc_session(591)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/09/14 15:03:43, 2] smbd/sesssetup.c:setup_new_vc_session(591)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/09/14 15:03:43, 0]
auth/auth_domain.c:connect_to_domain_password_server(123)
  connect_to_domain_password_server: unable to setup the NETLOGON
credentials to machine WIN2KSERVER. Error was : NT_STATUS_ACCESS_DENIED.
[2004/09/14 15:03:43, 0]
auth/auth_domain.c:connect_to_domain_password_server(123)
  connect_to_domain_password_server: unable to setup the NETLOGON
credentials to machine WIN2KSERVER. Error was : NT_STATUS_ACCESS_DENIED.
[2004/09/14 15:03:43, 0]
auth/auth_domain.c:connect_to_domain_password_server(123)
  connect_to_domain_password_server: unable to setup the NETLOGON
credentials to machine WIN2KSERVER. Error was : NT_STATUS_ACCESS_DENIED.
[2004/09/14 15:03:43, 0] auth/auth_domain.c:domain_client_validate(175)
  domain_client_validate: Domain password server not available.
[2004/09/14 15:03:43, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [jfl] -> [jfl] FAILED with
error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE
[2004/09/14 15:03:43, 2] smbd/sesssetup.c:setup_new_vc_session(591)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/09/14 15:03:43, 2] smbd/sesssetup.c:setup_new_vc_session(591)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2004/09/14 15:03:44, 0]
auth/auth_domain.c:connect_to_domain_password_server(123)
  connect_to_domain_password_server: unable to setup the NETLOGON
credentials to machine WIN2KSERVER. Error was : NT_STATUS_ACCESS_DENIED.
[2004/09/14 15:03:44, 0]
auth/auth_domain.c:connect_to_domain_password_server(123)
  connect_to_domain_password_server: unable to setup the NETLOGON
credentials to machine WIN2KSERVER. Error was : NT_STATUS_ACCESS_DENIED.
[2004/09/14 15:03:44, 0]
auth/auth_domain.c:connect_to_domain_password_server(123)
  connect_to_domain_password_server: unable to setup the NETLOGON
credentials to machine WIN2KSERVER. Error was : NT_STATUS_ACCESS_DENIED.
[2004/09/14 15:03:44, 0] auth/auth_domain.c:domain_client_validate(175)
  domain_client_validate: Domain password server not available.
[2004/09/14 15:03:44, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [jfl] -> [jfl] FAILED with
error NT_STATUS_TRUSTED_RELATIONSHIP_FAILURE


Here is my smb.conf:

[Global] parameters
        workgroup = MYDOMAIN
        wins support = Yes
        hosts allow = all
        encrypt passwords = Yes
        unix password sync = Yes
        passwd program = /usr/bin/passwd %u
        update encrypted = No
        lm announce = true
        log level = 3
# for AD passwords
        password server = WIN2KSERVER
        security = domain
[export]
        path = /export
        comment = export
        browseable = yes
        writable = yes
        read only = No


thank you in advance!
E




____________________________________
This e-mail message is for the sole use of the intended recipient(s) and
may contain proprietary, confidential and/or privileged information. Any
unauthorized review, use, disclosure or distribution is prohibited.  If you
are not the intended recipient (or an employee or agent responsible to
deliver it to the intended recipient), you may not copy or deliver this
message to anyone. In such case, you should destroy this message and kindly
notify the sender by reply e-mail.

More information about the samba mailing list