[Samba] Daily changetrustpw breaks authentication
Michael Gasch
gasch at eva.mpg.de
Thu Mar 16 08:03:47 GMT 2006
after some investigation i have a question for you:
are you only running winbindd or smbd, too? as i understood "net rpc..."
is only necessary on hosts running only winbindd (e.g. for squid).
greez
Jim Moser wrote:
> Anyone have any thoughts on this? Is changetrustpw even required? Are
> other people using it with success?
>
> Thanks,
> -Jim
>
> On Tue, 14 Mar 2006, Jim Moser wrote:
>
>> Samba 3.0.21b
>>
>> The Samba docs indicate [0] we should be running changetrustpw [1] at some
>> point (cron.daily) to update a machines trust account.
>>
>> However, I've seen multiple instances with 2 seperate AD environments
>> where this breaks our ability to enumerate/authenticate with the domain.
>> In both instances, we see something similar to the following in the
>> winbind logs:
>>
>> (ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:winbind_pw_check(429)
>> (ntlm_auth): Login for user [DOMAIN]\[USER]@[ITOPER] failed due to [Access denied]
>> (ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603)
>> (ntlm_auth): NTLMSSP BH: NT_STATUS_ACCESS_DENIED
>>
>> Re-joining the host to the domain fixes the problem, even though it still
>> appears to have had a valid machine account in the domain prior to.
>>
>> Yes, I'm using NTLM auth with Squid. I don't think it's Squid related, as
>> wbinfo -t (ie not Squid) returns:
>>
>> [$]# wbinfo -t
>> checking the trust secret via RPC calls failed
>> error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
>> Could not check secret
>>
>> I had another AD environment where changetrustpw never resulted in this
>> disjoin. I don't see any smoking guns that point to any differences in
>> the environments that might account for this.
>>
>> I've searched around looking for possible causes, but I haven't seen any
>> solid clues as to how to fix this.
--
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany
Phone: 49 (0)341 - 3550 137
49 (0)341 - 3550 374
Fax: 49 (0)341 - 3550 399
More information about the samba
mailing list