[Samba] Daily changetrustpw breaks authentication
Jim Moser
jmoser at diamondgate.net
Wed Mar 15 22:59:54 GMT 2006
Anyone have any thoughts on this? Is changetrustpw even required? Are
other people using it with success?
Thanks,
-Jim
On Tue, 14 Mar 2006, Jim Moser wrote:
> Samba 3.0.21b
>
> The Samba docs indicate [0] we should be running changetrustpw [1] at some
> point (cron.daily) to update a machines trust account.
>
> However, I've seen multiple instances with 2 seperate AD environments
> where this breaks our ability to enumerate/authenticate with the domain.
> In both instances, we see something similar to the following in the
> winbind logs:
>
> (ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:winbind_pw_check(429)
> (ntlm_auth): Login for user [DOMAIN]\[USER]@[ITOPER] failed due to [Access denied]
> (ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603)
> (ntlm_auth): NTLMSSP BH: NT_STATUS_ACCESS_DENIED
>
> Re-joining the host to the domain fixes the problem, even though it still
> appears to have had a valid machine account in the domain prior to.
>
> Yes, I'm using NTLM auth with Squid. I don't think it's Squid related, as
> wbinfo -t (ie not Squid) returns:
>
> [$]# wbinfo -t
> checking the trust secret via RPC calls failed
> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> Could not check secret
>
> I had another AD environment where changetrustpw never resulted in this
> disjoin. I don't see any smoking guns that point to any differences in
> the environments that might account for this.
>
> I've searched around looking for possible causes, but I haven't seen any
> solid clues as to how to fix this.
--
Jim Moser
DiamondGate Networks
http://www.diamondgate.net/
More information about the samba
mailing list