[Samba] security = user vs security = domain and winbind trust

Aaron E. ssureshot at gmail.com
Thu May 19 07:09:38 MDT 2011 

If you require and more information let me know and thanks in advance ..

I'm working with dansguardian and squid with ntlm_auth.

I join squid to the domain and it works for 7 days. After 7 days to the 
minute from the time I joined the server to the domain winbind decides 
it has lost its trust. And then squid cant utilize ntlm_auth as it 
requires winbind to function properly. I'm using the packaged version 
from Ubuntu Lucid.. samba 3.4.7..

I guess from what I've researched winbind isn't able to change or 
doesn't get updated with the machine password? CAn I force this somehow? 
Does it have anything to do with the fact I don't have an AD domain and 
using security = domain?

security = user  (winbind doesn't return users or groups with wbinfo and 
squid will not authenticate.)
security = domain ( winbind works for 7 days as does squid, once the 7 
days is up I have to rejoin the machine to the domain in order to get it 
in a working condition..)

My DC is a samba server with openldap as it's backend.

wbinfo -t returns the following

checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret

Below is a snipet of winbind.log

   initialize_winbindd_cache: clearing cache and re-creating with 
version number 1
[2011/05/19 08:57:27,  2] winbindd/winbindd_util.c:235(add_trusted_domain)
   Added domain BUILTIN  S-1-5-32
[2011/05/19 08:57:27,  2] winbindd/winbindd_util.c:235(add_trusted_domain)
   Added domain APPSRV5  S-1-5-21-2430456434-2706775456-2994855025
[2011/05/19 08:57:27,  2] winbindd/winbindd_util.c:235(add_trusted_domain)
   Added domain EXAMPLE  S-1-5-21-496710657-683828429-1874078741
[2011/05/19 08:57:28,  3] libsmb/cliconnect.c:940(cli_session_setup_spnego)
   Doing spnego session setup (blob length=58)
[2011/05/19 08:57:28,  3] libsmb/cliconnect.c:967(cli_session_setup_spnego)
   got OID=1.3.6.1.4.1.311.2.2.10
[2011/05/19 08:57:28,  3] libsmb/cliconnect.c:975(cli_session_setup_spnego)
   got principal=NONE
[2011/05/19 08:57:28,  3] libsmb/ntlmssp.c:1023(ntlmssp_client_challenge)
   Got challenge flags:
[2011/05/19 08:57:28,  3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
   Got NTLMSSP neg_flags=0x60898215
[2011/05/19 08:57:28,  3] libsmb/ntlmssp.c:1045(ntlmssp_client_challenge)
   NTLMSSP: Set final flags:
[2011/05/19 08:57:28,  3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
   Got NTLMSSP neg_flags=0x60088215
[2011/05/19 08:57:28,  3] libsmb/ntlmssp_sign.c:342(ntlmssp_sign_init)
   NTLMSSP Sign/Seal - Initialising with flags:
[2011/05/19 08:57:28,  3] libsmb/ntlmssp.c:62(debug_ntlmssp_flags)
   Got NTLMSSP neg_flags=0x60088215
[2011/05/19 08:57:28,  3] winbindd/winbindd_cm.c:570(cm_get_ipc_userpass)
   cm_get_ipc_userpass: No auth-user defined
[2011/05/19 08:57:28,  1] 
rpc_client/cli_pipe.c:949(cli_pipe_validate_current_pdu)
   cli_pipe_validate_current_pdu: RPC fault code 
DCERPC_FAULT_OP_RNG_ERROR received from host NETFILES2!
[2011/05/19 08:57:31,  3] 
winbindd/winbindd_misc.c:754(winbindd_interface_version)
   [10751]: request interface version
[2011/05/19 08:57:31,  3] 
winbindd/winbindd_misc.c:787(winbindd_priv_pipe_dir)
   [10751]: request location of privileged pipe
[2011/05/19 08:57:31,  3] 
winbindd/winbindd_misc.c:34(winbindd_check_machine_acct)
   [10751]: check machine account

More information about the samba mailing list