Samba 3.0.21b The Samba docs indicate [0] we should be running changetrustpw [1] at some point (cron.daily) to update a machines trust account. However, I've seen multiple instances with 2 seperate AD environments where this breaks our ability to enumerate/authenticate with the domain. In both instances, we see something similar to the following in the winbind logs: (ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:winbind_pw_check(429) (ntlm_auth): Login for user [DOMAIN]\[USER]@[ITOPER] failed due to [Access denied] (ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603) (ntlm_auth): NTLMSSP BH: NT_STATUS_ACCESS_DENIED Re-joining the host to the domain fixes the problem, even though it still appears to have had a valid machine account in the domain prior to. Yes, I'm using NTLM auth with Squid. I don't think it's Squid related, as wbinfo -t (ie not Squid) returns: [$]# wbinfo -t checking the trust secret via RPC calls failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) Could not check secret I had another AD environment where changetrustpw never resulted in this disjoin. I don't see any smoking guns that point to any differences in the environments that might account for this. I've searched around looking for possible causes, but I haven't seen any solid clues as to how to fix this. -- Jim Moser DiamondGate Networks http://www.diamondgate.net/ [0] http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 [1] Example cron script looks like: #!/bin/sh exec net ads -S $DOMAIN changetrustpw
hi, just for my understanding - you should run net rpc changetrustpw to force changing the machine trust in the domain regularly? i thought domain machines (no matter if windows clients, DCs or samba domain members) do this automatically? or is this related to the secret in a domain trust between two samba DCs? thanks for any hints! micha Jim Moser wrote:> Samba 3.0.21b > > The Samba docs indicate [0] we should be running changetrustpw [1] at some > point (cron.daily) to update a machines trust account. > > However, I've seen multiple instances with 2 seperate AD environments > where this breaks our ability to enumerate/authenticate with the domain. > In both instances, we see something similar to the following in the > winbind logs: > > (ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:winbind_pw_check(429) > (ntlm_auth): Login for user [DOMAIN]\[USER]@[ITOPER] failed due to [Access denied] > (ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603) > (ntlm_auth): NTLMSSP BH: NT_STATUS_ACCESS_DENIED > > Re-joining the host to the domain fixes the problem, even though it still > appears to have had a valid machine account in the domain prior to. > > Yes, I'm using NTLM auth with Squid. I don't think it's Squid related, as > wbinfo -t (ie not Squid) returns: > > [$]# wbinfo -t > checking the trust secret via RPC calls failed > error code was NT_STATUS_ACCESS_DENIED (0xc0000022) > Could not check secret > > I had another AD environment where changetrustpw never resulted in this > disjoin. I don't see any smoking guns that point to any differences in > the environments that might account for this. > > I've searched around looking for possible causes, but I haven't seen any > solid clues as to how to fix this.-- Michael Gasch Max Planck Institute for Evolutionary Anthropology Department of Human Evolution (IT Staff) Deutscher Platz 6 D-04103 Leipzig Germany Phone: 49 (0)341 - 3550 137 49 (0)341 - 3550 374 Fax: 49 (0)341 - 3550 399
Anyone have any thoughts on this? Is changetrustpw even required? Are other people using it with success? Thanks, -Jim On Tue, 14 Mar 2006, Jim Moser wrote:> Samba 3.0.21b > > The Samba docs indicate [0] we should be running changetrustpw [1] at some > point (cron.daily) to update a machines trust account. > > However, I've seen multiple instances with 2 seperate AD environments > where this breaks our ability to enumerate/authenticate with the domain. > In both instances, we see something similar to the following in the > winbind logs: > > (ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:winbind_pw_check(429) > (ntlm_auth): Login for user [DOMAIN]\[USER]@[ITOPER] failed due to [Access denied] > (ntlm_auth): [2006/03/14 14:11:16, 0] utils/ntlm_auth.c:manage_squid_ntlmssp_request(603) > (ntlm_auth): NTLMSSP BH: NT_STATUS_ACCESS_DENIED > > Re-joining the host to the domain fixes the problem, even though it still > appears to have had a valid machine account in the domain prior to. > > Yes, I'm using NTLM auth with Squid. I don't think it's Squid related, as > wbinfo -t (ie not Squid) returns: > > [$]# wbinfo -t > checking the trust secret via RPC calls failed > error code was NT_STATUS_ACCESS_DENIED (0xc0000022) > Could not check secret > > I had another AD environment where changetrustpw never resulted in this > disjoin. I don't see any smoking guns that point to any differences in > the environments that might account for this. > > I've searched around looking for possible causes, but I haven't seen any > solid clues as to how to fix this.-- Jim Moser DiamondGate Networks http://www.diamondgate.net/
Jim Moser wrote:> Samba 3.0.21b > The Samba docs indicate [0] we should be running changetrustpw [1] at some > point (cron.daily) to update a machines trust account.AFAIK, not required. > [0] http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5 That's not a samba doc... (-: -- Rex