Andreas Unterkircher
2006-Jan-26 16:49 UTC
[Samba] Samba Active Directory NT_STATUS_ACCESS_DENIED - expired?
Hello list, I'm using several samba server (mix between v2.2 and v3.0 versions) within an Active Directory domain. These servers are normal domain members and winbind is used to lookup the domain users on the linux machines. Sometimes it looks like that some of the servers get kicked out of the domain. In the samba logs suddenly NT_STATUS_ACCESS_DENIED messages appear and samba stopps authenticate users against domain. The computer account is still present in Active Directory. I've check if the account has expired but it's expired time is far away (9223372036854775807, in 2038 ...). The account is neither inactive, disabled or locked out. When I try to rejoin on the existing computer account (smbpasswd -j, net join) it works on samba side but in the domain controllers event log I see some of the following errors: The session setup from the computer SRV-MFM-30 failed to authenticate. The name of the account referenced in the security database is SRV-MFM-30$. The following error occurred: Access is denied. I have to remove the computer object and join the domain again. Then everything works again (for some time). This happens with security=domain (rpc) and also with security=ads (ldap,kdc,...). The timeframe ist mostly 2 or 3 months. Anyone has a clue what can cause this or encountered similar problems? Cheers, Andreas Unterkircher
Andrew Bartlett
2006-Jan-31 09:25 UTC
[Samba] Samba Active Directory NT_STATUS_ACCESS_DENIED - expired?
On Wed, 2006-01-25 at 11:42 +0100, Andreas Unterkircher wrote:> Hello list, > > I'm using several samba server (mix between v2.2 and v3.0 versions) > within an Active Directory domain. These servers are normal domain > members and winbind is used to lookup the domain users on the linux > machines. > > Sometimes it looks like that some of the servers get kicked out of the > domain. In the samba logs suddenly NT_STATUS_ACCESS_DENIED messages > appear and samba stopps authenticate users against domain. > > The computer account is still present in Active Directory. I've check > if the account has expired but it's expired time is far away > (9223372036854775807, in 2038 ...). The account is neither inactive, > disabled or locked out. > > When I try to rejoin on the existing computer account (smbpasswd -j, > net join) it works on samba side but in the domain controllers event > log I see some of the following errors: > > The session setup from the computer SRV-MFM-30 failed to authenticate. > The name of the account referenced in the security database is > SRV-MFM-30$. The following error occurred: Access is denied. > > I have to remove the computer object and join the domain again. Then > everything works again (for some time). > > This happens with security=domain (rpc) and also with security=ads > (ldap,kdc,...). The timeframe ist mostly 2 or 3 months. > > Anyone has a clue what can cause this or encountered similar problems?Password expiry is configured from group or domain policy, not a value on the entry. The command 'net ads changetrustpw' should fix it. We should handle this automatically, but don't (please file a bug, if there isn't one already). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20060131/e057bd01/attachment.bin