[cifs-protocol] [REG:111071166110452] access denied in NetrLogonSamLogonEx

Edgar Olougouna edgaro at microsoft.com
Tue Jul 19 12:37:55 MDT 2011 

Matthieu,

After reviewing this with the NRPC and DFRS product teams, MS-NRPC 3.5.5.5.1 will be clarified to reflect the following.

"If the Netlogon service is paused, sysvol is not in a ready state, or if the client is not using a secure RPC then the server must return STATUS_ACCESS_DENIED."

I also confirmed with the DFRS product team that if there is no FRS/DFSR replication then sysvol data is not populated from the other domain controller. As a result, sysvol cannot be ready without the data. 
Therefore, the answer to your question is: no, sysvol cannot be ready without any replication engine used. 

In case this is useful, this article explains how FRS works on a Windows DC and how FRS sets the SysvolReady registry entry during SYSVOL creation and replication.
How FRS Works http://technet.microsoft.com/en-us/library/cc758169(WS.10).aspx
Section: What Happens When SYSVOL is Created During Domain Controller Promotion

Regards,
Edgar

-----Original Message-----
From: Matthieu Patou [mailto:mat at samba.org] 
Sent: Tuesday, July 12, 2011 5:13 PM
To: Edgar Olougouna
Cc: Hongwei Sun; pfif at tridgell.net; cifs-protocol at samba.org
Subject: Re: [cifs-protocol] [REG:111071166110452] access denied in NetrLogonSamLogonEx

On 13/07/2011 01:27, Edgar Olougouna wrote:
> Matthieu,
>
> It appears that the behavior you observed is by design. From the debugger, the Netlogon service is running in the following condition.
> If the Netlogon service is paused or the Sysvol is not in ready state, only logons from inside the machine (MsvApSecureChannel) and logons from a BDC in the domain (ServerSecureChannel ) can be accepted.
>
> The data shows that your Netlogon service is in a running state but your Sysvol is not in a ready state. Since the secure channel type is WorkstationSecureChannel, the NetrLogonSamLogonEx call is rejected with STATUS_ACCESS_DENIED.
I guess you have to update the documentation to add this to the reasons why we should return status access denied, or because the sysvol is not in the ready state it means that " the client is not using a secure RPC (schannel)."

For the later I must confess that it would be quite strange as I would have rather say: "if the netlogon service is paused of if the sysvol is not in a ready state then we concider that the client is not using a secure RPC".

Personally I would have understood directly if the 3.5.4.4.1 paragraph would have said: "if the netlogon service is paused of if the sysvol is not in a ready state _or_ if  the client is not using a secure RPC" then we return ACCESS_DENIED.


> Do you recall the sequence of tests you performed before this error surfaced?
Oh it's a simple DC join on a samba domain, but as we don't support
(yet) FRS or DFR it's quite normal that the sysvol can't be replicated.

> Based on the information above, can you reconcile this with the sequence of tests you performed?
Yeah it looks quite understandable. The question is, is there a way to put the sysvol in a ready state when the frs replication is not working (because for instance the other DC didn't implement it).

Matthieu.
>
> Regards,
> Edgar
>
> -----Original Message-----
> From: Edgar Olougouna
> Sent: Tuesday, July 12, 2011 3:23 PM
> To: 'mat at samba.org'
> Cc: Hongwei Sun; pfif at tridgell.net; cifs-protocol at samba.org
> Subject: RE: [cifs-protocol] [REG:111071166110452] access denied in 
> NetrLogonSamLogonEx
>
> Matthieu,
>
> Thanks for the pointer. I was sure one of the version was not in sync. I updated my debugger and the ttt utility and can now load the trace.
> I will update you on the progress of my investigation.
>
> Regards,
> Edgar
>
> -----Original Message-----
> From: Matthieu Patou [mailto:mat at samba.org]
> Sent: Tuesday, July 12, 2011 2:38 PM
> To: Edgar Olougouna
> Cc: Hongwei Sun; pfif at tridgell.net; cifs-protocol at samba.org
> Subject: Re: [cifs-protocol] [REG:111071166110452] access denied in 
> NetrLogonSamLogonEx
>
> Hi Edgar,
>
> Far from me the will to avoid redoing things but I have the impression that it will be pointless.
> The version that you send me is the one that I was using a couple of days ago, and Hongwei wasn't able to read them so he send me a more recent version of ttt.
>
> Your is 1084928 2009-09-29 23:11 TTTSetup_x86_external.msi His is 
> 1085440 2010-05-24 22:14 TTTSetup_x86_external.msi
>
> My system is Windows 2003r2 32 bits standard edition.
>
> MD5 of files are (with md5sum on Linux):
>
> 449a9575b6fc1ae6f15024d38a10027d  lsass01.out
> ff6870df75b548577b95e1dbf1d52e52  lsass01.run
>
> For the reference md5sum on your installer is
> fab4b7523105463ce1a4d3e9dd7dd201  TTTSetup_x86_external.msi
>
> Can you see with hongwei ? Just because the transfer could have broke the files, I just reuploaded them.
>
>
> Matthieu.
>
>    On 12/07/2011 21:05, Edgar Olougouna wrote:
>> Matthieu,
>>
>> I copied over the files you previously sent to Hongwei. But unfortunately my debugger cannot open them. It's not clear whether they are corrupted. I tried both 32bit and 64bit debuggers.
>>
>> I need you capture new traces with the version of TTT utility I uploaded for you at the workspace. You need to download this TTT, uninstall any previous version you had and install the one I sent. It is in MSExternal.zip.
>> Workspace location:
>> https://sftemea.one.microsoft.com/choosetransfer.aspx?key=11d7e2fb-4f
>> 3
>> e-48ff-ad69-e46f60c84cf6 I am re-sending the password in a separate 
>> email.
>>
>> Please send the new TTT trace and a full network capture as well.
>> Thanks,
>> Edgar
>>
>> -----Original Message-----
>> From: Hongwei Sun
>> Sent: Monday, July 11, 2011 4:52 PM
>> To: Edgar Olougouna; mat at samba.org
>> Cc: pfif at tridgell.net; cifs-protocol at samba.org
>> Subject: RE: [cifs-protocol] [REG:111071166110452] access denied in 
>> NetrLogonSamLogonEx
>>
>> Edgar,
>>
>>     Matthieu already transferred the files to one workspace I created for him in another case.  I will give you the access to that workspace.
>>
>> Matthieu,
>>
>>     You don't need to do it again.
>>
>> Hongwei
>>
>> -----Original Message-----
>> From: cifs-protocol-bounces at cifs.org
>> [mailto:cifs-protocol-bounces at cifs.org] On Behalf Of Edgar Olougouna
>> Sent: Monday, July 11, 2011 4:50 PM
>> To: mat at samba.org
>> Cc: pfif at tridgell.net; cifs-protocol at samba.org
>> Subject: [cifs-protocol] [REG:111071166110452] access denied in 
>> NetrLogonSamLogonEx
>>
>> [Adding case information in subject]
>>
>> Matthieu,
>>
>> I am happy to look into this for you. I have created the following workspace for this case. Please upload the traces to this location. I will be sending the password in a separate email.
>> Workspace location:
>> https://sftemea.one.microsoft.com/choosetransfer.aspx?key=11d7e2fb-4f
>> 3
>> e-48ff-ad69-e46f60c84cf6
>>
>> For case tracking record, please note that we use one workspace per customer support case. That way, once you upload a trace and send us data, they are linked to that particular case and available to whoever is investigating the case.
>>
>> Regards,
>> Edgar
>>
>> -----Original Message-----
>> From: Matthieu Patou [mailto:mat at samba.org]
>> Sent: Monday, July 11, 2011 1:18 PM
>> To: mat at samba.org
>> Cc: Interoperability Documentation Help; pfif at tridgell.net; 
>> cifs-protocol at samba.org
>> Subject: Re: [cifs-protocol] access denied in NetrLogonSamLogonEx
>>
>> On 11/07/2011 21:39, Matthieu Patou wrote:
>>> Dear doc help,
>>>
>>> I'm receving a STATUS_ACCESS_DENIED when using ntlm_auth against a 
>>> Windows 2003 DC.
>>>
>>> According to the NRPC.pdf paragraph 3.5.4.4.1, the server is 
>>> supposed to return ACCESS_DENIED if the client is not using a secure 
>>> RPC (schannel).
>>>
>>> In this particular case it's not the case as we can see that the 
>>> information are encapsulated in a schannel communication. What are 
>>> the other reasons for Windows to return this error ?
>>>
>>> The same call on a Samba4 DC in the same domain is OK, I configured 
>>> the domain to not keep the lan manager password.
>>>
>>> Matthieu.
>>>
>> I'm also uploading in the link sent by hongwei on the first of july (the one which finish by c3ef297d3290) a  tttrace, the network capture and the extract of the netrlogonsamlogonex for packet 115.
>>
>> Matthieu.
>>
>> --
>> Matthieu Patou
>> Samba Team        http://samba.org
>> Private repo      http://git.samba.org/?p=mat/samba.git;a=summary
>>
>>
>>
>> _______________________________________________
>> cifs-protocol mailing list
>> cifs-protocol at cifs.org
>> https://lists.samba.org/mailman/listinfo/cifs-protocol
>>
>
> --
> Matthieu Patou
> Samba Team        http://samba.org
> Private repo      http://git.samba.org/?p=mat/samba.git;a=summary
>
>
>


--
Matthieu Patou
Samba Team        http://samba.org
Private repo      http://git.samba.org/?p=mat/samba.git;a=summary

More information about the cifs-protocol mailing list