[Samba] Daily changetrustpw breaks authentication

Jim Moser jmoser at diamondgate.net
Thu Mar 16 16:07:34 GMT 2006 

Michael,

In both instances, I'm running smbd/nmbd as well as winbindd.

-Jim

On Thu, 16 Mar 2006, Michael Gasch wrote:

> after some investigation i have a question for you:
> are you only running winbindd or smbd, too? as i understood "net rpc..." is
> only necessary on hosts running only winbindd (e.g. for squid).
> 
> greez
> 
> Jim Moser wrote:
> > Anyone have any thoughts on this?  Is changetrustpw even required?  Are
> > other people using it with success?
> > 
> > Thanks,
> > -Jim
> > 
> > On Tue, 14 Mar 2006, Jim Moser wrote:
> > 
> > > Samba 3.0.21b
> > >
> > > The Samba docs indicate [0] we should be running changetrustpw [1] at some
> > > point (cron.daily) to update a machines trust account.
> > >
> > > However, I've seen multiple instances with 2 seperate AD environments
> > > where this breaks our ability to enumerate/authenticate with the domain.
> > > In both instances, we see something similar to the following in the
> > > winbind logs:
> > >
> > > (ntlm_auth): [2006/03/14 14:11:16, 0]
> > > utils/ntlm_auth.c:winbind_pw_check(429)
> > > (ntlm_auth): Login for user [DOMAIN]\[USER]@[ITOPER] failed due to [Access
> > > denied]
> > > (ntlm_auth): [2006/03/14 14:11:16, 0]
> > > utils/ntlm_auth.c:manage_squid_ntlmssp_request(603)
> > > (ntlm_auth): NTLMSSP BH: NT_STATUS_ACCESS_DENIED
> > >
> > > Re-joining the host to the domain fixes the problem, even though it still
> > > appears to have had a valid machine account in the domain prior to.
> > >
> > > Yes, I'm using NTLM auth with Squid.  I don't think it's Squid related, as
> > > wbinfo -t (ie not Squid) returns:
> > >
> > > [$]# wbinfo -t
> > > checking the trust secret via RPC calls failed
> > > error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> > > Could not check secret
> > >
> > > I had another AD environment where changetrustpw never resulted in this
> > > disjoin.  I don't see any smoking guns that point to any differences in
> > > the environments that might account for this.
> > >
> > > I've searched around looking for possible causes, but I haven't seen any
> > > solid clues as to how to fix this.
> 
> 

-- 
Jim Moser
DiamondGate Networks
http://www.diamondgate.net/

More information about the samba mailing list