Trusted domain(external trust: selective auth) user authentication failing with NT_STATUS_NO_LOGON_SERVERS error.

Hemanth Thummala hemanth.thummala at gmail.com
Wed Jun 10 19:15:50 MDT 2015


Hi All,

We are running 3.6.12+ stack. We have a customer who is facing issues with
authenticating their trusted domain users connected via external trust and
selective authentication method.

We have made sure that user is given the "allowed to authenticate"
permission as authentication method chosen is "selective".

We have got a test user to debug the issue. And here is the client.log
showing the error on trying to authenticate using smbclient.

# smbclient //localhost/share -U erin%<password> -W TRUSTDOM
Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
session setup failed: NT_STATUS_NO_LOGON_SERVERS

client.log:

[2015/06/10 20:48:32.482626, 10]
auth/auth_winbind.c:99(check_winbind_security)
  check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_AUTH_ERROR
[2015/06/10 20:48:32.482626,  5] auth/auth.c:271(check_ntlm_password)
  check_ntlm_password: winbind authentication for user [erin] FAILED with
error NT_STATUS_NO_LOGON_SERVERS
[2015/06/10 20:48:32.482626,  2] auth/auth.c:319(check_ntlm_password)
  check_ntlm_password:  Authentication for user [erin] -> [erin] FAILED
with error NT_STATUS_NO_LOGON_SERVERS
[2015/06/10 20:48:32.482626,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
NT_STATUS_NO_LOGON_SERVERS
[2015/06/10 20:48:32.482626,  4] smbd/process.c:1585(switch_message)

winbind.log:

[2015/06/10 20:58:43.842351,  3]
winbindd/winbindd_misc.c:226(winbindd_domain_info)
  [74316]: domain_info [TRUSTDOM]
[2015/06/10 20:58:43.842351, 10]
winbindd/winbindd.c:740(winbind_client_response_written)
  winbind_client_response_written[74316:DOMAIN_INFO]: delivered response to
client
[2015/06/10 20:58:43.843350, 10] winbindd/winbindd.c:617(process_request)
  process_request: Handling async request 74316:PAM_AUTH_CRAP
[2015/06/10 20:58:43.843350,  3]
winbindd/winbindd_pam_auth_crap.c:56(winbindd_pam_auth_crap_send)
  [74316]: pam auth crap domain: [TRUSTDOM] user: erin
[2015/06/10 20:58:43.851350, 10] winbindd/winbindd.c:679(wb_request_done)
  wb_request_done[74316:PAM_AUTH_CRAP]: NT_STATUS_NO_LOGON_SERVERS
[2015/06/10 20:58:43.851350, 10]
winbindd/winbindd.c:740(winbind_client_response_written)
  winbind_client_response_written[74316:PAM_AUTH_CRAP]: delivered response
to client


# wbinfo -a=TRUSTDOM\\erin%<password>
plaintext password authentication failed
Could not authenticate user TRUSTDOM\erin%<password> with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_LOGON_SERVERS (0xc000005e)
error message was: No logon servers
Could not authenticate user TRUSTDOM\erin with challenge/response

Kerberos authentication failing with LOGON_FAILURE. But occasionally works.

# smbclient //server/share -U erin -W TRUSTDOM -k
Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
session setup failed: NT_STATUS_LOGON_FAILURE

We have made sure the trust validation is good. Customer confirmed that
trusted users can actually authenticate against windows shares but not
Samba. They are using win2k8r2 servers as DCs on both local and trusted
domains.

Would like to know if any one faced these issues. I was initially able to
reproduce the issue on my lab setup with external trusts. Just for few
checks, I went back to forest trust. It worked fine. After that I came back
to external, problem is not seen. Not really sure what is fixed when the
trust is converted to forest.

Are there any known issues with external trusts? Is there anything that I
can check on the DCs? Please let me know.

Thanks,
Hemanth.


More information about the samba-technical mailing list