ncacn_np NETLOGON with workstation trust account ok?

Michael B Allen ioplex at gmail.com
Thu Apr 23 18:06:09 GMT 2009 

On Thu, Apr 16, 2009 at 12:14 PM, Dave Daugherty
<dave.daugherty at centrify.com> wrote:
> Michael,
>
> We encountered a similar problem.  In our case someone had changed the Domain Policy -> Local Policies -> User Rights Assignments -> Access this computer from the network and changed the groups. In particular "Authenticated users" was removed and "Domain Users" was added. This allowed AD users to logon but not domain member computers.
>
> Check both Domain Policies and Domain Controller Polices.  Usually the groups are configured on the Domain Controller policy but in our case they were overridden in the Domain Policy.

Hi Dave et al,

I was hoping to get a definitive answer from the customer about this
before I responded but that doesn't look like that is going to happen.

After looking at a capture it was discovered that integrity flags were
turned off. So SMB signatures were off and NTLM2 Key Exchange was not
negotiated. I do not know yet if that is directly responsible for the
STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT error but it does indicate
that my customer, who integrated my code into their application, is
either setting properties that they are not supposed to or they are
using an old version of the JCIFS library.

But I think the customer is having trouble finding where integrity is
actually being turned off. I supplied them with a simple commandline
test program that just connects to NETLOGON and does a
DsrEnumerateDomainTrusts. Since it runs completely independently of
the customers application that should at least determine if the
problem is the code or the environment. But for whatever reason I
can't seem to convince them to run the test.

Regarding domain policy - that certainly sounded promising but the
customer provided detailed screen shots of the GPO, Domain Security
Policy and Domain Controller Security Policy screens and everything
looks correct. They all either have Authenticated Users and the groups
generally look unmolested (aside from some benign looking IIS groups)
or that "Access this computer from the network" security option is not
defined. So at this point I'm leaning toward the bad NTLMSSP flags.

If I get the definitive word on this I will follow up.

Thanks for your help and I have not forgotten that you have helped me
before. I appreciate it.

Mike

-- 
Michael B Allen
Java Active Directory Integration
http://www.ioplex.com/

More information about the samba-technical mailing list