[Samba] Daily changetrustpw breaks authentication

Michael Gasch gasch at eva.mpg.de
Wed Mar 15 10:15:57 GMT 2006 

hi,

just for my understanding - you should run net rpc changetrustpw to 
force changing the machine trust in the domain regularly? i thought 
domain machines (no matter if windows clients, DCs or samba domain 
members) do this automatically? or is this related to the secret in a 
domain trust between two samba DCs?

thanks for any hints!

micha

Jim Moser wrote:
> Samba 3.0.21b
> 
> The Samba docs indicate [0] we should be running changetrustpw [1] at some 
> point (cron.daily) to update a machines trust account.
> 
> However, I've seen multiple instances with 2 seperate AD environments 
> where this breaks our ability to enumerate/authenticate with the domain.  
> In both instances, we see something similar to the following in the 
> winbind logs:
> 
> (ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:winbind_pw_check(429)
> (ntlm_auth): Login for user [DOMAIN]\[USER]@[ITOPER] failed due to [Access denied]
> (ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603)
> (ntlm_auth): NTLMSSP BH: NT_STATUS_ACCESS_DENIED
> 
> Re-joining the host to the domain fixes the problem, even though it still 
> appears to have had a valid machine account in the domain prior to.
> 
> Yes, I'm using NTLM auth with Squid.  I don't think it's Squid related, as 
> wbinfo -t (ie not Squid) returns:
> 
> [$]# wbinfo -t
> checking the trust secret via RPC calls failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> Could not check secret
> 
> I had another AD environment where changetrustpw never resulted in this 
> disjoin.  I don't see any smoking guns that point to any differences in 
> the environments that might account for this.
> 
> I've searched around looking for possible causes, but I haven't seen any 
> solid clues as to how to fix this.

-- 
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137
        49 (0)341 - 3550 374

Fax:   49 (0)341 - 3550 399

More information about the samba mailing list