ncacn_np NETLOGON with workstation trust account ok?
Michael B Allen
ioplex at gmail.com
Thu Apr 16 01:12:54 GMT 2009
On Wed, Apr 15, 2009 at 7:57 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Wed, 2009-04-15 at 19:44 -0400, Michael B Allen wrote:
>> Does anyone know of an issue with authenticating an SMB named pipe
>> using a workstation trust account? I have someone who is getting the
>> following error during the NTLMSSP session setup:
>> 0xC0000199 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT "The account
>> used is a Computer Account. Use your global user account or local user
>> account to access this server."
>> My code is just some Java that is basically does what winbind does
>> (last I checked winbind also used ncacn_np as opposed to ncacn_ip_tcp)
>> so I'm wondering if you guys have ever seen this issue with winbind?
>> I have tested this with many other people without ever seeing this
>> error so I'm somewhat perplexed as to what the problem could be.
> Is your issue that you have a member server that you implement, that you
> wish to accept connections too, or that you have a client that is trying
> to contact a Windows member server in the AD domain.
> Anyway, what is happening here is that the domain controller returns
> that error message unless a flag
> (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT) is set in the
> netr_IdentityInfo.parameter_control element in the eventual SamLogon
> request to the DC.
Thanks for the quick response. Unfortunately I do not think that this
is the problem. The failure occurs way before the NetrLogonSamLogon
call and NetrIdentityInfo.parameter_control is 0x00000820 so it has
the MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT (0x800) flag on anyway.
The code is basically just JCIFS' DCERPC acting as a member server for
authenticating web clients using NTLM. The point of failure is the
SMB_COM_SESSION_SETUP_ANDX between JCIFS and the NETLOGON pipe on the
domain controller - the SMB_COM_SESSION_SETUP response is in error
with the aforementioned STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT.
The only suspicuous thing I can find at this point is that the NTLMSSP
NEGOTIATE_MESSAGE and AUTHENTICATE_MESSAGE Workstatiion fields are
like "JCIFS2_24_C9" which is a little wrong whereas the UserName field
is correct like "SAMNAME$".
But the thing that perplexes me is that at least two dozen people have
successfully used this code so I have to wonder if the
STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT error is just coming out of
left field and is actually an artefact of something else like some
weird flag on the Computer account or the service account name or
password is somehow messed up.
More information about the samba-technical