[Samba] Samba Active Directory NT_STATUS_ACCESS_DENIED - expired?

Andrew Bartlett abartlet at samba.org
Tue Jan 31 09:25:11 GMT 2006 

On Wed, 2006-01-25 at 11:42 +0100, Andreas Unterkircher wrote:
> Hello list,
> 
> I'm using several samba server (mix between v2.2 and v3.0 versions) 
> within an Active Directory domain. These servers are normal domain 
> members and winbind is used to lookup the domain users on the linux 
> machines.
> 
> Sometimes it looks like that some of the servers get kicked out of the 
> domain. In the samba logs suddenly NT_STATUS_ACCESS_DENIED messages 
> appear and samba stopps authenticate users against domain.
> 
> The computer account is still present in Active Directory. I've check 
> if the account has expired but it's expired time is far away 
> (9223372036854775807, in 2038 ...). The account is neither inactive, 
> disabled or locked out.
> 
> When I try to rejoin on the existing computer account (smbpasswd -j, 
> net join) it works on samba side but in the domain controllers event 
> log I see some of the following errors:
> 
> The session setup from the computer SRV-MFM-30 failed to authenticate. 
> The name of the account referenced in the security database is 
> SRV-MFM-30$.  The following error occurred: Access is denied.
> 
> I have to remove the computer object and join the domain again. Then 
> everything works again (for some time).
> 
> This happens with security=domain (rpc) and also with security=ads 
> (ldap,kdc,...). The timeframe ist mostly 2 or 3 months.
> 
> Anyone has a clue what can cause this or encountered similar problems?

Password expiry is configured from group or domain policy, not a value
on the entry.  The command 'net ads changetrustpw' should fix it. 

We should handle this automatically, but don't (please file a bug, if
there isn't one already).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20060131/e057bd01/attachment.bin

More information about the samba mailing list