ncacn_np NETLOGON with workstation trust account ok?
Michael B Allen
ioplex at gmail.com
Wed Jun 10 19:52:40 GMT 2009
On Thu, Apr 16, 2009 at 12:14 PM, Dave
Daugherty<dave.daugherty at centrify.com> wrote:
> We encountered a similar problem. In our case someone had changed the Domain Policy -> Local Policies -> User Rights Assignments -> Access this computer from the network and changed the groups. In particular "Authenticated users" was removed and "Domain Users" was added. This allowed AD users to logon but not domain member computers.
> Check both Domain Policies and Domain Controller Polices. Usually the groups are configured on the Domain Controller policy but in our case they were overridden in the Domain Policy.
I just ran into very similar NETLOGON over ncacn_np problem today.
When setting up the NETLOGON named pipe with Secure Channel, our code
fails with "Access denied" on the second NT_CREATE_ANDX to /netlogon
(after switching to anonymous to do Secure Channel). So it
successfully does the first NT_CREATE_ANDX on /netlogon using the
service account credentials and then
NetrServerReqChallenge/NetrServerAuthenticate2 and then
SESSION_SETUP_ANDX/TREE_CONNECT_ANDX as anonymous to IPC$ is all
successful. But when we then try to do NT_CREATE_ANDX as anonymous on
/netlogon we get "Access denied".
If we disable Secure Channel so that my code does not try to reconnect
to /netlogon as anonymous everything works ok. We took a capture of
IIS doing NetrLogonSamLogon against the same domain and it worked. So
without dissecting every little flag, the only difference looks like
that we're using ncacn_np transport and IIS is using ncacn_tcp_ip. So
it looks like I need to implement ncacn_tcp_ip in JCIFS.
Is there a way to do Secure Channel over ncacn_np without using anonymous?
Considering this works on a test domain at the same company and for
all of our other customers I must believe that there is a security
policy option behind this. The "Access this computer from the network"
groups look ok (and if they were not I suspect the error would have
occurred earlier in the protocol exchange). There are a lot of
security options under:
Domain Security Policy > Local Policies > Security Options > Network
that look very pertainent like "Network access: Restrict anonymous to
Named Pipes and Shares" but I have a screen shot that section from the
customer that shows everything as "Not defined".
Has anyone heard of this before? Winbind uses ncacn_np so if I'm
correct, someone should have run into this before.
More information about the samba-technical