[Samba] Samba Active Directory NT_STATUS_ACCESS_DENIED - expired?

Andreas Unterkircher unki at netshadow.at
Wed Jan 25 10:42:16 GMT 2006

Hello list,

I'm using several samba server (mix between v2.2 and v3.0 versions) 
within an Active Directory domain. These servers are normal domain 
members and winbind is used to lookup the domain users on the linux 

Sometimes it looks like that some of the servers get kicked out of the 
domain. In the samba logs suddenly NT_STATUS_ACCESS_DENIED messages 
appear and samba stopps authenticate users against domain.

The computer account is still present in Active Directory. I've check 
if the account has expired but it's expired time is far away 
(9223372036854775807, in 2038 ...). The account is neither inactive, 
disabled or locked out.

When I try to rejoin on the existing computer account (smbpasswd -j, 
net join) it works on samba side but in the domain controllers event 
log I see some of the following errors:

The session setup from the computer SRV-MFM-30 failed to authenticate. 
The name of the account referenced in the security database is 
SRV-MFM-30$.  The following error occurred: Access is denied.

I have to remove the computer object and join the domain again. Then 
everything works again (for some time).

This happens with security=domain (rpc) and also with security=ads 
(ldap,kdc,...). The timeframe ist mostly 2 or 3 months.

Anyone has a clue what can cause this or encountered similar problems?

Andreas Unterkircher

More information about the samba mailing list