[Samba] Daily changetrustpw breaks authentication

Jim Moser jmoser at diamondgate.net
Tue Mar 14 18:03:15 GMT 2006

Samba 3.0.21b

The Samba docs indicate [0] we should be running changetrustpw [1] at some 
point (cron.daily) to update a machines trust account.

However, I've seen multiple instances with 2 seperate AD environments 
where this breaks our ability to enumerate/authenticate with the domain.  
In both instances, we see something similar to the following in the 
winbind logs:

(ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:winbind_pw_check(429)
(ntlm_auth): Login for user [DOMAIN]\[USER]@[ITOPER] failed due to [Access denied]
(ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603)

Re-joining the host to the domain fixes the problem, even though it still 
appears to have had a valid machine account in the domain prior to.

Yes, I'm using NTLM auth with Squid.  I don't think it's Squid related, as 
wbinfo -t (ie not Squid) returns:

[$]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret

I had another AD environment where changetrustpw never resulted in this 
disjoin.  I don't see any smoking guns that point to any differences in 
the environments that might account for this.

I've searched around looking for possible causes, but I haven't seen any 
solid clues as to how to fix this.
Jim Moser
DiamondGate Networks

[0] http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5

[1] Example cron script looks like:

exec net ads -S $DOMAIN changetrustpw

More information about the samba mailing list