Authentication Problems during Authoritive restore of SYSVOL

[Martin.Sheppard at csiro.au]

Hi,
 
We recently went through an authorative restore of the SYSVOL information on
all of our W2K DCs. We have samba servers that are members of this domain
and are authenticating users using the domain security mode. During the
restore process a registry key is set on the DCs which stops them
Authenticating people during the restore. The problem comes about because
during this time the DCs seem to report NT_STATUS_ACCESS_DENIED rather than
the ususal NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD (see log
extract below). Samba 2.2.3a is interpreting this response as an
authentication failed rather than interpreting it to mean that the DC is not
available. Perhaps the authentication routines should be rewritten so that
samba will try a different DC on its list unless the first one returns
NT_STATUS_NO_SUCH_USER or NT_STATUS_WRONG_PASSWORD to avoid this sort of
situation cropping up in other situations where there is a malfunctioning
DC. At the very least we should try the next one if it returns
NT_STATUS_ACCESS_DENIED because we know that this doesn't necessarily mean
that the password is wrong.
 
[2002/04/26 09:54:09, 0] rpc_client/cli_netlogon.c:cli_net_sam_logon(391)
cli_net_sam_logon: NT_STATUS_ACCESS_DENIED
[2002/04/26 09:54:09, 0] smbd/password.c:domain_client_validate(1470)
domain_client_validate: unable to validate password for user XXX in domain
XXXX to Domain controller XXXXXX. Error was NT_STATUS_ACCESS_DENIED.
 
Cheers,
 
Martin.
-------------- next part --------------
HTML attachment scrubbed and removed