3.0.28a - NT_STATUS_ACCESS_DENIED + ADS

Andrew Kuriger itspecific at gmail.com
Mon Aug 16 09:17:44 MDT 2010


Hello,

I have been encountering an issue with our current Samba 3 configuration on Ubuntu 8.04
(2.6.24) installation. We are using this device as out primary file server authenticated
and joined to a Windows 2k Domain.

I have had no problems with Winbind enumeration and general authentication server side.
Client side is another issue. Our client environment is 99% Windows XP SP3.

I have been noticing that some users are having *intermittent* authentication issues that
are logged as

> [2010/08/13 16:30:03, 3] smbd/process.c:process_smb(1083)
>   Transaction 8 of length 110
> [2010/08/13 16:30:03, 3] smbd/process.c:switch_message(932)
>   switch message SMBtrans2 (pid 11514) conn 0xac4890
> [2010/08/13 16:30:03, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>   setting sec ctx (65534, 65534) - sec_ctx_stack_ndx = 0
> [2010/08/13 16:30:03, 3] smbd/msdfs.c:get_referred_path(633)
>   get_referred_path: |username| in dfs path \smbserver\username is not a dfs root.
> [2010/08/13 16:30:03, 3] smbd/error.c:error_packet_set(106)
>   error packet at smbd/trans2.c(6281) cmd=50 (SMBtrans2) NT_STATUS_NOT_FOUND
> [2010/08/13 16:30:03, 3] smbd/process.c:process_smb(1083)
>   Transaction 9 of length 240
> [2010/08/13 16:30:03, 3] smbd/process.c:switch_message(932)
>   switch message SMBsesssetupX (pid 11514) conn 0x0
> [2010/08/13 16:30:03, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/08/13 16:30:03, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1253)
>   wct=12 flg2=0xc807
> [2010/08/13 16:30:03, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
>   Doing spnego session setup
> [2010/08/13 16:30:03, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
>   NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
> [2010/08/13 16:30:03, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
>   reply_spnego_negotiate: Got secblob of size 40
> [2010/08/13 16:30:03, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
>   Got NTLMSSP neg_flags=0xa2088207
> [2010/08/13 16:30:03, 3] smbd/process.c:process_smb(1083)
>   Transaction 10 of length 354
> [2010/08/13 16:30:03, 3] smbd/process.c:switch_message(932)
>   switch message SMBsesssetupX (pid 11514) conn 0x0
> [2010/08/13 16:30:03, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/08/13 16:30:03, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1253)
>   wct=12 flg2=0xc807
> [2010/08/13 16:30:03, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
>   Doing spnego session setup
> [2010/08/13 16:30:03, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
>   NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[]
> [2010/08/13 16:30:03, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
>   Got user=[username] domain=[OURDOMAIN] workstation=[OURDOMAIN-203] len1=24 len2=24
> [2010/08/13 16:30:03, 3] auth/auth.c:check_ntlm_password(221)
>   check_ntlm_password:  Checking password for unmapped user [OURDOMAIN]\[username]@[COMPUTER-203] with the new password interface
> [2010/08/13 16:30:03, 3] auth/auth.c:check_ntlm_password(224)
>   check_ntlm_password:  mapped user is: [OURDOMAIN]\[username]@[COMPUTER-203]
> [2010/08/13 16:30:03, 3] smbd/sec_ctx.c:push_sec_ctx(208)
>   push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> [2010/08/13 16:30:03, 3] smbd/uid.c:push_conn_ctx(358)
>   push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> [2010/08/13 16:30:03, 3] smbd/sec_ctx.c:set_sec_ctx(241)
>   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> [2010/08/13 16:30:03, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2010/08/13 16:30:03, 2] auth/auth.c:check_ntlm_password(319)
>   check_ntlm_password:  Authentication for user [username] -> [username] FAILED with error NT_STATUS_ACCESS_DENIED
> [2010/08/13 16:30:03, 3] smbd/error.c:error_packet_set(106)
>   error packet at smbd/sesssetup.c(105) cmd=115 (SMBsesssetupX) NT_STATUS_ACCESS_DENIED

We have a log in script that runs after log on mapping various resources, most of the time
it runs fine, and all resources are mapped. Other times, we will encounter:

> C:\Documents and Settings\username>net use H: \\smbserver\username
> The password is invalid for \\smbserver\username.
> 
> Enter the user name for 'smbserver':

So we close this CMD window and re-run the log on script from the DC and 95% of the time
it will complete successfully (mapping drives) the other 5% will result in the above
message, with the same output log as the way-above.

I'm kind of hung up on saying this is intermittent since I have been testing 4 brand new
devices, and every one fails to enforce the folder redirect GPO. They also fail to map
drives most of the time (1 in 10 log-ins work fine (log in script to map drives, redirect
fails 100% of the time).

The relevant notification from the Windows log results in:

> Failed to perform redirection of folder My Documents. The full source path was <C:\Documents and Settings\username\My Documents>. The full destination path was <\\smbserver\username>. At least one of the shares on which these paths lie is currently offline.
Accessing this UNC path after logging on usually results in getting the directory list,
other times the client will receive ACCESS DENIED.

I have also noted this as it seems to affect an older Ubuntu patch level, but same major
and minor versions.
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/526464
Related?

I really just need any direction, I have been tearing my hair out for the past few weeks...

smb.conf attached.


Thanks and best regards,

Andrew Kuriger

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: smb.conf
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100816/7776f84d/attachment.ksh>


More information about the samba-technical mailing list