Authentication of non-Domain joined clients with Samba 3.6.12+ joined to W2K12 fails with ACCESS DENIED
Richard Sharpe
realrichardsharpe at gmail.com
Fri May 9 07:38:58 MDT 2014
On Thu, May 8, 2014 at 11:28 PM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> On Thu, May 08, 2014 at 02:24:36PM -0700, Richard Sharpe wrote:
>> On Thu, May 8, 2014 at 10:53 AM, Richard Sharpe
>> <realrichardsharpe at gmail.com> wrote:
>> > Hi folks,
>> >
>> > Does anyone know what is going on here.
>> >
>> > Non-domain-joined client. Samba 3.6.12+ and W2K12 server.
>> >
>> > Winbindd says this:
>> >
>> > [2014/05/07 15:13:33.936864, 1]
>> > ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>> > netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
>> > out: struct netr_LogonSamLogonEx
>> > validation : *
>> > validation : union netr_Validation(case 6)
>> > sam6 : NULL
>> > authoritative : *
>> > authoritative : 0x00 (0)
>> > flags : *
>> > flags : 0x00000000 (0)
>> > result : NT_STATUS_ACCESS_DENIED
>> >
>> > Is it possible that they are configured for too high an encryption level for us?
>> >
>> > I know that the credentials are good, because I can use rpcclient with
>> > those credentials againts the DC.
>>
>> By the way, wbinfo -t returns success. The trust password does not
>> seem to have changed ...
>
> NT_STATUS_ACCESS_DENIED usually means schannel or credential
> chain problems. Is this a heavily loaded winbind with
> multiple domain children?
I don't think so but am not sure. Kerberos auth works without
problems, it is only the non-domain joined clients that have a
problem. Also, restarting winbindd does not help, even though wbinfo
-t works after the restart.
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list