NTLM authentication failing with NT_STATUS_ACCESS_DENIED.

Sat Mar 21 09:17:14 MDT 2015

On 03/20/2015 02:33 PM, Jeremy Allison wrote:
> On Thu, Mar 12, 2015 at 07:14:58PM -0700, Hemanth Thummala wrote:
>> Hi All,
>>
>> We are using samba 3.6.12+ stack. On one of lab setups we run into an issue
>> that all NTLM authentications are failing with access denied errors. This
>> particular node is deployed in a site where a Read Only DC is present. Both
>> NTLM and Kerberos authentications used to work few days back. Now only
>> Kerberos auth works but not NTLM. When we firewall RODC and redirect server
>> to talk to Writable one, every thing works. But would like to understand
>> the issue with RODC communication.
any chance one of the DCs was updated with MS15-027. It suggests that
after this patch you need to use kerberos authentication from the server
to the DC. Just a possibility to check. I have not seen failures on my samba
server after this patch but I'm not running a RODC

>>
>> Winbindd logs suggest that trust password might have been changed. I have
>> renewed the password manually and replicated to RODC. It did not help.
>>
>> net ads testjoin, wbinfo -pt works fine.
>>
>> I have seen few posts related to this issue without any solution. Wanted to
>> check if anyone else has faced this issue. RODC is running win2k8r2 version.
>>
>> Here is the dump(final few) of smbclient command:
>> ...
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x60088215
>>    NTLMSSP_NEGOTIATE_UNICODE
>>    NTLMSSP_REQUEST_TARGET
>>    NTLMSSP_NEGOTIATE_SIGN
>>    NTLMSSP_NEGOTIATE_NTLM
>>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>    NTLMSSP_NEGOTIATE_NTLM2
>>    NTLMSSP_NEGOTIATE_128
>>    NTLMSSP_NEGOTIATE_KEY_EXCH
>> SPNEGO login failed: Access denied
>> session setup failed: NT_STATUS_ACCESS_DENIED
>>
>> client log:
>>
>> [2015/03/12 18:58:04.294165,  5]
>> auth/token_util.c:527(debug_unix_user_token)
>>    UNIX token of user 0
>>    Primary group is 0 and contains 0 supplementary groups
>> [2015/03/12 18:58:04.630167,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
>>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>> [2015/03/12 18:58:04.631166, 10]
>> auth/auth_winbind.c:99(check_winbind_security)
>>    check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_AUTH_ERROR
>> [2015/03/12 18:58:04.631166,  5] auth/auth.c:271(check_ntlm_password)
>>    check_ntlm_password: winbind authentication for user [hthummala] FAILED
>> with error NT_STATUS_ACCESS_DENIED
>> [2015/03/12 18:58:04.631166,  2] auth/auth.c:319(check_ntlm_password)
>>    check_ntlm_password:  Authentication for user [hthummala] -> [hthummala]
>> FAILED with error NT_STATUS_ACCESS_DENIED
>> [2015/03/12 18:58:04.631166,  3] smbd/error.c:81(error_packet_set)
>>    error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
>> NT_STATUS_ACCESS_DENIED
>> [2015/03/12 18:58:04.631166,  4] smbd/process.c:1589(switch_message)
>>
>>
>> winbindd.log:
>>
>> [2015/03/12 18:58:04.628166, 10]
>> librpc/rpc/dcerpc_helpers.c:865(dcerpc_check_auth)
>>    Requested Privacy.
>> [2015/03/12 18:58:04.628166,  6]
>> ../librpc/rpc/dcerpc_util.c:140(dcerpc_pull_auth_trailer)
>>    ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12
>> [2015/03/12 18:58:04.628166, 10]
>> librpc/rpc/dcerpc_helpers.c:951(dcerpc_check_auth)
>>    SCHANNEL auth
>> [2015/03/12 18:58:04.628166, 10]
>> rpc_client/cli_pipe.c:437(cli_pipe_validate_current_pdu)
>>    Got pdu len 120, data_len 20, ss_len 12
>> [2015/03/12 18:58:04.628166, 10]
>> rpc_client/cli_pipe.c:882(rpc_api_pipe_got_pdu)
>>    rpc_api_pipe: got frag len of 120 at offset 0: NT_STATUS_OK
>> [2015/03/12 18:58:04.628166, 10]
>> rpc_client/cli_pipe.c:937(rpc_api_pipe_got_pdu)
>>    rpc_api_pipe: host AD1-BLR.pixel8networks.com returned 20 bytes.
>> [2015/03/12 18:58:04.628166,  1]
>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>         netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
>>            out: struct netr_LogonSamLogonEx
>>                validation               : *
>>                    validation               : union netr_Validation(case 6)
>>                    sam6                     : NULL
>>                authoritative            : *
>>                    authoritative            : 0x00 (0)
>>                flags                    : *
>>                    flags                    : 0x00000000 (0)
>>                result                   : NT_STATUS_ACCESS_DENIED
>> [2015/03/12 18:58:04.629166,  3]
>> winbindd/winbindd_pam.c:1367(winbind_samlogon_retry_loop)
>>    winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED.  Maybe the
>> trust account password was changed and we didn't know it. Killing
>> connections to domain DOMAIN1
> Does the Windows RODC log anything in it's Eventlog that
> might help debug ?