NTLM authentication failing with NT_STATUS_ACCESS_DENIED.
Jeremy Allison
jra at samba.org
Fri Mar 20 15:33:31 MDT 2015
On Thu, Mar 12, 2015 at 07:14:58PM -0700, Hemanth Thummala wrote:
> Hi All,
>
> We are using samba 3.6.12+ stack. On one of lab setups we run into an issue
> that all NTLM authentications are failing with access denied errors. This
> particular node is deployed in a site where a Read Only DC is present. Both
> NTLM and Kerberos authentications used to work few days back. Now only
> Kerberos auth works but not NTLM. When we firewall RODC and redirect server
> to talk to Writable one, every thing works. But would like to understand
> the issue with RODC communication.
>
> Winbindd logs suggest that trust password might have been changed. I have
> renewed the password manually and replicated to RODC. It did not help.
>
> net ads testjoin, wbinfo -pt works fine.
>
> I have seen few posts related to this issue without any solution. Wanted to
> check if anyone else has faced this issue. RODC is running win2k8r2 version.
>
> Here is the dump(final few) of smbclient command:
> ...
> NTLMSSP Sign/Seal - Initialising with flags:
> Got NTLMSSP neg_flags=0x60088215
> NTLMSSP_NEGOTIATE_UNICODE
> NTLMSSP_REQUEST_TARGET
> NTLMSSP_NEGOTIATE_SIGN
> NTLMSSP_NEGOTIATE_NTLM
> NTLMSSP_NEGOTIATE_ALWAYS_SIGN
> NTLMSSP_NEGOTIATE_NTLM2
> NTLMSSP_NEGOTIATE_128
> NTLMSSP_NEGOTIATE_KEY_EXCH
> SPNEGO login failed: Access denied
> session setup failed: NT_STATUS_ACCESS_DENIED
>
> client log:
>
> [2015/03/12 18:58:04.294165, 5]
> auth/token_util.c:527(debug_unix_user_token)
> UNIX token of user 0
> Primary group is 0 and contains 0 supplementary groups
> [2015/03/12 18:58:04.630167, 4] smbd/sec_ctx.c:422(pop_sec_ctx)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2015/03/12 18:58:04.631166, 10]
> auth/auth_winbind.c:99(check_winbind_security)
> check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_AUTH_ERROR
> [2015/03/12 18:58:04.631166, 5] auth/auth.c:271(check_ntlm_password)
> check_ntlm_password: winbind authentication for user [hthummala] FAILED
> with error NT_STATUS_ACCESS_DENIED
> [2015/03/12 18:58:04.631166, 2] auth/auth.c:319(check_ntlm_password)
> check_ntlm_password: Authentication for user [hthummala] -> [hthummala]
> FAILED with error NT_STATUS_ACCESS_DENIED
> [2015/03/12 18:58:04.631166, 3] smbd/error.c:81(error_packet_set)
> error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
> NT_STATUS_ACCESS_DENIED
> [2015/03/12 18:58:04.631166, 4] smbd/process.c:1589(switch_message)
>
>
> winbindd.log:
>
> [2015/03/12 18:58:04.628166, 10]
> librpc/rpc/dcerpc_helpers.c:865(dcerpc_check_auth)
> Requested Privacy.
> [2015/03/12 18:58:04.628166, 6]
> ../librpc/rpc/dcerpc_util.c:140(dcerpc_pull_auth_trailer)
> ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12
> [2015/03/12 18:58:04.628166, 10]
> librpc/rpc/dcerpc_helpers.c:951(dcerpc_check_auth)
> SCHANNEL auth
> [2015/03/12 18:58:04.628166, 10]
> rpc_client/cli_pipe.c:437(cli_pipe_validate_current_pdu)
> Got pdu len 120, data_len 20, ss_len 12
> [2015/03/12 18:58:04.628166, 10]
> rpc_client/cli_pipe.c:882(rpc_api_pipe_got_pdu)
> rpc_api_pipe: got frag len of 120 at offset 0: NT_STATUS_OK
> [2015/03/12 18:58:04.628166, 10]
> rpc_client/cli_pipe.c:937(rpc_api_pipe_got_pdu)
> rpc_api_pipe: host AD1-BLR.pixel8networks.com returned 20 bytes.
> [2015/03/12 18:58:04.628166, 1]
> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
> netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
> out: struct netr_LogonSamLogonEx
> validation : *
> validation : union netr_Validation(case 6)
> sam6 : NULL
> authoritative : *
> authoritative : 0x00 (0)
> flags : *
> flags : 0x00000000 (0)
> result : NT_STATUS_ACCESS_DENIED
> [2015/03/12 18:58:04.629166, 3]
> winbindd/winbindd_pam.c:1367(winbind_samlogon_retry_loop)
> winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED. Maybe the
> trust account password was changed and we didn't know it. Killing
> connections to domain DOMAIN1
Does the Windows RODC log anything in it's Eventlog that
might help debug ?
More information about the samba-technical
mailing list