Authentication of non-Domain joined clients with Samba 3.6.12+ joined to W2K12 fails with ACCESS DENIED
Volker Lendecke
Volker.Lendecke at SerNet.DE
Fri May 9 00:28:44 MDT 2014
On Thu, May 08, 2014 at 02:24:36PM -0700, Richard Sharpe wrote:
> On Thu, May 8, 2014 at 10:53 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
> > Hi folks,
> >
> > Does anyone know what is going on here.
> >
> > Non-domain-joined client. Samba 3.6.12+ and W2K12 server.
> >
> > Winbindd says this:
> >
> > [2014/05/07 15:13:33.936864, 1]
> > ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> > netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
> > out: struct netr_LogonSamLogonEx
> > validation : *
> > validation : union netr_Validation(case 6)
> > sam6 : NULL
> > authoritative : *
> > authoritative : 0x00 (0)
> > flags : *
> > flags : 0x00000000 (0)
> > result : NT_STATUS_ACCESS_DENIED
> >
> > Is it possible that they are configured for too high an encryption level for us?
> >
> > I know that the credentials are good, because I can use rpcclient with
> > those credentials againts the DC.
>
> By the way, wbinfo -t returns success. The trust password does not
> seem to have changed ...
NT_STATUS_ACCESS_DENIED usually means schannel or credential
chain problems. Is this a heavily loaded winbind with
multiple domain children?
Volker
--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de
More information about the samba-technical
mailing list