[Samba] domain_client_validate: unable to validate password for user MACHINE$ in domain DOMAIN to Domain controller \\DC. Error was NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

Jay Libove libove at felines.org
Mon Jun 26 11:24:36 GMT 2006

Hi Samba users -

I recently upgraded my domain at home from being controlled by two 
somewhat messed up Windows DCs (one 2000 and the other 2003, messed up by 
my own inexpert management..) to a nice clean new single 2003 DC (SBS, if 
it matters).

I rejoined all workstations, including a Redhat Fedora FC3 based machine, 
to the new domain. (Actually, I migrated all of the Windows workstations 
and servers, and simply rejoined the Linux machine).

Since then, I'm getting lots (roughly 70 per day) of the following message 
in /var/log/samba/log.hostname where log.hostname is the hostname specific 
log file for one of the domain member workstations:

[2006/06/26 05:18:25, 0] auth/auth_domain.c:domain_client_validate(199)  domain_client_validate: unable to validate password for user BEAST5$ in domain FELINESAD2 to Domain controller \\RESET6. Error was NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT.

I've done several Google searches and found very few mentions of this at 
all (except for many places where Google has indexed copies of the Samba 
source code, heh).

Since users of that Windows workstation are successfully attaching to 
Samba shares on that Linux machine, and the Linux machine is able to 
authenticate those users to the 2003 DC, it seems that the Kerberos setup 
is complete.

Why am I get the errors about the Linux machine being unable to 
authenticate the Windows workstation's Domain account to the Domain? It 
ought to be able to (since the Windows workstations is a valid Domain 
member), and why is it even trying in the first place (since it is a user, 
not the machine, which is connecting to the shares offered by the Samba 
server on the Linux machine) ?

-Jay Libove, CISSP
Atlanta, GA, US

More information about the samba mailing list