NTLM authentication failing with NT_STATUS_ACCESS_DENIED.
Hemanth Thummala
hemanth.thummala at gmail.com
Thu Mar 12 20:14:58 MDT 2015
Hi All,
We are using samba 3.6.12+ stack. On one of lab setups we run into an issue
that all NTLM authentications are failing with access denied errors. This
particular node is deployed in a site where a Read Only DC is present. Both
NTLM and Kerberos authentications used to work few days back. Now only
Kerberos auth works but not NTLM. When we firewall RODC and redirect server
to talk to Writable one, every thing works. But would like to understand
the issue with RODC communication.
Winbindd logs suggest that trust password might have been changed. I have
renewed the password manually and replicated to RODC. It did not help.
net ads testjoin, wbinfo -pt works fine.
I have seen few posts related to this issue without any solution. Wanted to
check if anyone else has faced this issue. RODC is running win2k8r2 version.
Here is the dump(final few) of smbclient command:
...
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP_NEGOTIATE_UNICODE
NTLMSSP_REQUEST_TARGET
NTLMSSP_NEGOTIATE_SIGN
NTLMSSP_NEGOTIATE_NTLM
NTLMSSP_NEGOTIATE_ALWAYS_SIGN
NTLMSSP_NEGOTIATE_NTLM2
NTLMSSP_NEGOTIATE_128
NTLMSSP_NEGOTIATE_KEY_EXCH
SPNEGO login failed: Access denied
session setup failed: NT_STATUS_ACCESS_DENIED
client log:
[2015/03/12 18:58:04.294165, 5]
auth/token_util.c:527(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2015/03/12 18:58:04.630167, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2015/03/12 18:58:04.631166, 10]
auth/auth_winbind.c:99(check_winbind_security)
check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_AUTH_ERROR
[2015/03/12 18:58:04.631166, 5] auth/auth.c:271(check_ntlm_password)
check_ntlm_password: winbind authentication for user [hthummala] FAILED
with error NT_STATUS_ACCESS_DENIED
[2015/03/12 18:58:04.631166, 2] auth/auth.c:319(check_ntlm_password)
check_ntlm_password: Authentication for user [hthummala] -> [hthummala]
FAILED with error NT_STATUS_ACCESS_DENIED
[2015/03/12 18:58:04.631166, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
NT_STATUS_ACCESS_DENIED
[2015/03/12 18:58:04.631166, 4] smbd/process.c:1589(switch_message)
winbindd.log:
[2015/03/12 18:58:04.628166, 10]
librpc/rpc/dcerpc_helpers.c:865(dcerpc_check_auth)
Requested Privacy.
[2015/03/12 18:58:04.628166, 6]
../librpc/rpc/dcerpc_util.c:140(dcerpc_pull_auth_trailer)
../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12
[2015/03/12 18:58:04.628166, 10]
librpc/rpc/dcerpc_helpers.c:951(dcerpc_check_auth)
SCHANNEL auth
[2015/03/12 18:58:04.628166, 10]
rpc_client/cli_pipe.c:437(cli_pipe_validate_current_pdu)
Got pdu len 120, data_len 20, ss_len 12
[2015/03/12 18:58:04.628166, 10]
rpc_client/cli_pipe.c:882(rpc_api_pipe_got_pdu)
rpc_api_pipe: got frag len of 120 at offset 0: NT_STATUS_OK
[2015/03/12 18:58:04.628166, 10]
rpc_client/cli_pipe.c:937(rpc_api_pipe_got_pdu)
rpc_api_pipe: host AD1-BLR.pixel8networks.com returned 20 bytes.
[2015/03/12 18:58:04.628166, 1]
../librpc/ndr/ndr.c:284(ndr_print_function_debug)
netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
out: struct netr_LogonSamLogonEx
validation : *
validation : union netr_Validation(case 6)
sam6 : NULL
authoritative : *
authoritative : 0x00 (0)
flags : *
flags : 0x00000000 (0)
result : NT_STATUS_ACCESS_DENIED
[2015/03/12 18:58:04.629166, 3]
winbindd/winbindd_pam.c:1367(winbind_samlogon_retry_loop)
winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED. Maybe the
trust account password was changed and we didn't know it. Killing
connections to domain DOMAIN1
[2015/03/12 18:58:04.630167, 2]
winbindd/winbindd_pam.c:1942(winbindd_dual_pam_auth_crap)
NTLM CRAP authentication for user [DOMAIN1]\[hthummala] returned
NT_STATUS_ACCESS_DENIED (PAM: 4)
Thanks,
Hemanth.
More information about the samba-technical
mailing list