Re: [Samba] Daily changetrustpw breaks authentication

Thu, 16 Mar 2006 00:04:32 -0800 

after some investigation i have a question for you:
are you only running winbindd or smbd, too? as i understood "net rpc..." is only necessary on hosts running only winbindd (e.g. for squid). 

greez

Jim Moser wrote:

Anyone have any thoughts on this?  Is changetrustpw even required?  Are 
other people using it with success?


Thanks,
-Jim

On Tue, 14 Mar 2006, Jim Moser wrote:


Samba 3.0.21b


The Samba docs indicate [0] we should be running changetrustpw [1] at some 
point (cron.daily) to update a machines trust account.



However, I've seen multiple instances with 2 seperate AD environments 
where this breaks our ability to enumerate/authenticate with the domain.  
In both instances, we see something similar to the following in the 
winbind logs:


(ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:winbind_pw_check(429)
(ntlm_auth): Login for user [EMAIL PROTECTED] failed due to [Access denied]
(ntlm_auth): [2006/03/14 14:11:16, 0] 
utils/ntlm_auth.c:manage_squid_ntlmssp_request(603)
(ntlm_auth): NTLMSSP BH: NT_STATUS_ACCESS_DENIED


Re-joining the host to the domain fixes the problem, even though it still 
appears to have had a valid machine account in the domain prior to.



Yes, I'm using NTLM auth with Squid.  I don't think it's Squid related, as 
wbinfo -t (ie not Squid) returns:


[$]# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
Could not check secret


I had another AD environment where changetrustpw never resulted in this 
disjoin.  I don't see any smoking guns that point to any differences in 
the environments that might account for this.



I've searched around looking for possible causes, but I haven't seen any 
solid clues as to how to fix this.


--
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137
       49 (0)341 - 3550 374

Fax:   49 (0)341 - 3550 399

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba






















					Reply via email to