ncacn_np NETLOGON with workstation trust account ok?

Thu Apr 16 02:56:15 GMT 2009

On Wed, 2009-04-15 at 22:44 -0400, Michael B Allen wrote:
> On Wed, Apr 15, 2009 at 9:42 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> > On Wed, 2009-04-15 at 21:12 -0400, Michael B Allen wrote:
> >> On Wed, Apr 15, 2009 at 7:57 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> >> > On Wed, 2009-04-15 at 19:44 -0400, Michael B Allen wrote:
> >> >> Hi,
> >> >>
> >> >> Does anyone know of an issue with authenticating an SMB named pipe
> >> >> using a workstation trust account? I have someone who is getting the
> >> >> following error during the NTLMSSP session setup:
> >> >>
> >> >>   0xC0000199 STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT "The account
> >> >> used is a Computer Account. Use your global user account or local user
> >> >> account to access this server."
> >> >>
> >> >> My code is just some Java that is basically does what winbind does
> >> >> (last I checked winbind also used ncacn_np as opposed to ncacn_ip_tcp)
> >> >> so I'm wondering if you guys have ever seen this issue with winbind?
> >> >>
> >> >> I have tested this with many other people without ever seeing this
> >> >> error so I'm somewhat perplexed as to what the problem could be.
> >> >
> >> > Is your issue that you have a member server that you implement, that you
> >> > wish to accept connections too, or that you have a client that is trying
> >> > to contact a Windows member server in the AD domain.
> >> >
> >> > Anyway, what is happening here is that the domain controller returns
> >> > that error message unless a flag
> >> > (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT) is set in the
> >> > netr_IdentityInfo.parameter_control element in the eventual SamLogon
> >> > request to the DC.
> >>
> >> Hi Andrew,
> >>
> >> Thanks for the quick response. Unfortunately I do not think that this
> >> is the problem. The failure occurs way before the NetrLogonSamLogon
> >> call and NetrIdentityInfo.parameter_control is 0x00000820 so it has
> >> the MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT (0x800) flag on anyway.
> >>
> >> The code is basically just JCIFS' DCERPC acting as a member server for
> >> authenticating web clients using NTLM. The point of failure is the
> >> SMB_COM_SESSION_SETUP_ANDX between JCIFS and the NETLOGON pipe on the
> >> domain controller - the SMB_COM_SESSION_SETUP response is in error
> >> with the aforementioned STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT.
> >
> > Is this an old-style NTLM session setup, or full NTLMSSP extended
> > security (blobs)?
> >
> > The domain controller will not internally apply the
> > MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT to an old-style session setup, in
> > order to trigger a behaviour used in enrolling early Windows NT 4.0
> > machines into a domain (the password would be set to the machine name,
> > and the machine would check that the password was so by logging in using
> > SMB, and expecting this error).
> 
> It's full-blown NTLMv2 extended security (blobs) with NTLM2 session
> security (for NTLMv1 as well as NTLMv2), key exchange and Secure
> Channel.
> 
> But still I don't see how that flag could be involved if the code does
> not even get past the SMB_COM_SESSION_SETUP_ANDX.

What is the DC in this case?

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20090416/420ad27e/attachment.bin