Authentication of non-Domain joined clients with Samba 3.6.12+ joined to W2K12 fails with ACCESS DENIED

Richard Sharpe realrichardsharpe at gmail.com
Fri May 9 07:38:58 MDT 2014


On Thu, May 8, 2014 at 11:28 PM, Volker Lendecke
<Volker.Lendecke at sernet.de> wrote:
> On Thu, May 08, 2014 at 02:24:36PM -0700, Richard Sharpe wrote:
>> On Thu, May 8, 2014 at 10:53 AM, Richard Sharpe
>> <realrichardsharpe at gmail.com> wrote:
>> > Hi folks,
>> >
>> > Does anyone know what is going on here.
>> >
>> > Non-domain-joined client. Samba 3.6.12+ and W2K12 server.
>> >
>> > Winbindd says this:
>> >
>> > [2014/05/07 15:13:33.936864,  1]
>> > ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>> >        netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
>> >           out: struct netr_LogonSamLogonEx
>> >               validation               : *
>> >                   validation               : union netr_Validation(case 6)
>> >                   sam6                     : NULL
>> >               authoritative            : *
>> >                   authoritative            : 0x00 (0)
>> >               flags                    : *
>> >                   flags                    : 0x00000000 (0)
>> >               result                   : NT_STATUS_ACCESS_DENIED
>> >
>> > Is it possible that they are configured for too high an encryption level for us?
>> >
>> > I know that the credentials are good, because I can use rpcclient with
>> > those credentials againts the DC.
>>
>> By the way, wbinfo -t returns success. The trust password does not
>> seem to have changed ...
>
> NT_STATUS_ACCESS_DENIED usually means schannel or credential
> chain problems. Is this a heavily loaded winbind with
> multiple domain children?

I don't think so but am not sure. Kerberos auth works without
problems, it is only the non-domain joined clients that have a
problem. Also, restarting winbindd does not help, even though wbinfo
-t works after the restart.
-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list