ncacn_np NETLOGON with workstation trust account ok?

Andrew Bartlett abartlet at samba.org
Wed Apr 15 23:57:27 GMT 2009


On Wed, 2009-04-15 at 19:44 -0400, Michael B Allen wrote:
> Hi,
> 
> Does anyone know of an issue with authenticating an SMB named pipe
> using a workstation trust account? I have someone who is getting the
> following error during the NTLMSSP session setup:
> 
>   0xC0000199 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT "The account
> used is a Computer Account. Use your global user account or local user
> account to access this server."
> 
> My code is just some Java that is basically does what winbind does
> (last I checked winbind also used ncacn_np as opposed to ncacn_ip_tcp)
> so I'm wondering if you guys have ever seen this issue with winbind?
> 
> I have tested this with many other people without ever seeing this
> error so I'm somewhat perplexed as to what the problem could be.

Is your issue that you have a member server that you implement, that you
wish to accept connections too, or that you have a client that is trying
to contact a Windows member server in the AD domain.

Anyway, what is happening here is that the domain controller returns
that error message unless a flag
(MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT) is set in the
netr_IdentityInfo.parameter_control element in the eventual SamLogon
request to the DC. 

The reason fro this is that in NT4 days, machine accounts were not
permitted to authenticate (only useful for NETLOGON), but as anonymous
access to the network became a problem, the combination of this flag (to
allow the legacy default) and the machine account login were permitted.

Andrew Bartlett

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090416/b1b96c9f/attachment.bin


More information about the samba-technical mailing list