[Samba] domain_client_validate: unable to validate password for user MACHINE$ in domain DOMAIN to Domain controller \\DC. Error was NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

[Jay Libove]

Hi Samba users -

 

I recently upgraded my domain at home from being controlled by two

somewhat messed up Windows DCs (one 2000 and the other 2003, messed up
by

my own inexpert management..) to a nice clean new single 2003 DC (SBS,
if

it matters).

 

I rejoined all workstations, including a Redhat Fedora FC3 based
machine,

to the new domain. (Actually, I migrated all of the Windows workstations

and servers, and simply rejoined the Linux machine).

 

Since then, I'm getting lots (roughly 70 per day) of the following
message

in /var/log/samba/log.hostname where log.hostname is the hostname
specific

log file for one of the domain member workstations:

 

[2006/06/26 05:18:25, 0] auth/auth_domain.c:domain_client_validate(199) 

domain_client_validate: unable to validate password for user BEAST5$ in 

domain FELINESAD2 to Domain controller \\RESET6 <file:///\\RESET6> .
Error was 

NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT.

 

 

I've done several Google searches and found very few mentions of this at

all (except for many places where Google has indexed copies of the Samba

source code, heh).

 

Since users of that Windows workstation are successfully attaching to

Samba shares on that Linux machine, and the Linux machine is able to

authenticate those users to the 2003 DC, it seems that the Kerberos
setup

is complete.

 

Why am I get the errors about the Linux machine being unable to

authenticate the Windows workstation's Domain account to the Domain? It

ought to be able to (since the Windows workstations is a valid Domain

member), and why is it even trying in the first place (since it is a
user,

not the machine, which is connecting to the shares offered by the Samba

server on the Linux machine) ?

 

Thanks

-Jay Libove, CISSP

Atlanta, GA, US