Michael, In both instances, I'm running smbd/nmbd as well as winbindd.
-Jim On Thu, 16 Mar 2006, Michael Gasch wrote: > after some investigation i have a question for you: > are you only running winbindd or smbd, too? as i understood "net rpc..." is > only necessary on hosts running only winbindd (e.g. for squid). > > greez > > Jim Moser wrote: > > Anyone have any thoughts on this? Is changetrustpw even required? Are > > other people using it with success? > > > > Thanks, > > -Jim > > > > On Tue, 14 Mar 2006, Jim Moser wrote: > > > > > Samba 3.0.21b > > > > > > The Samba docs indicate [0] we should be running changetrustpw [1] at some > > > point (cron.daily) to update a machines trust account. > > > > > > However, I've seen multiple instances with 2 seperate AD environments > > > where this breaks our ability to enumerate/authenticate with the domain. > > > In both instances, we see something similar to the following in the > > > winbind logs: > > > > > > (ntlm_auth): [2006/03/14 14:11:16, 0] > > > utils/ntlm_auth.c:winbind_pw_check(429) > > > (ntlm_auth): Login for user [EMAIL PROTECTED] failed due to [Access > > > denied] > > > (ntlm_auth): [2006/03/14 14:11:16, 0] > > > utils/ntlm_auth.c:manage_squid_ntlmssp_request(603) > > > (ntlm_auth): NTLMSSP BH: NT_STATUS_ACCESS_DENIED > > > > > > Re-joining the host to the domain fixes the problem, even though it still > > > appears to have had a valid machine account in the domain prior to. > > > > > > Yes, I'm using NTLM auth with Squid. I don't think it's Squid related, as > > > wbinfo -t (ie not Squid) returns: > > > > > > [$]# wbinfo -t > > > checking the trust secret via RPC calls failed > > > error code was NT_STATUS_ACCESS_DENIED (0xc0000022) > > > Could not check secret > > > > > > I had another AD environment where changetrustpw never resulted in this > > > disjoin. I don't see any smoking guns that point to any differences in > > > the environments that might account for this. > > > > > > I've searched around looking for possible causes, but I haven't seen any > > > solid clues as to how to fix this. > > -- Jim Moser DiamondGate Networks http://www.diamondgate.net/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
