NTLM authentication failing with NT_STATUS_ACCESS_DENIED.

Hemanth Thummala hemanth.thummala at gmail.com
Wed Mar 25 16:33:52 MDT 2015 

Thanks Jeremy and Herb. I have actually made sure that NTLM was not
disabled/blocked. Could not find any information from event logs(I have
enabled the NTLM auditing from security settings).

But issue got resolved after installing a MS hot fix:
http://support.microsoft.com/en-us/kb/2696718.  Symptoms look same. And
after installing this patch all NTLM access to shares got succeeded.


Thanks,
Hemanth.

On Sat, Mar 21, 2015 at 8:17 AM, Herb Lewis <hlewis at panasas.com> wrote:

> On 03/20/2015 02:33 PM, Jeremy Allison wrote:
>
>> On Thu, Mar 12, 2015 at 07:14:58PM -0700, Hemanth Thummala wrote:
>>
>>> Hi All,
>>>
>>> We are using samba 3.6.12+ stack. On one of lab setups we run into an
>>> issue
>>> that all NTLM authentications are failing with access denied errors. This
>>> particular node is deployed in a site where a Read Only DC is present.
>>> Both
>>> NTLM and Kerberos authentications used to work few days back. Now only
>>> Kerberos auth works but not NTLM. When we firewall RODC and redirect
>>> server
>>> to talk to Writable one, every thing works. But would like to understand
>>> the issue with RODC communication.
>>>
>> any chance one of the DCs was updated with MS15-027. It suggests that
> after this patch you need to use kerberos authentication from the server
> to the DC. Just a possibility to check. I have not seen failures on my
> samba
> server after this patch but I'm not running a RODC
>
>
>
>>> Winbindd logs suggest that trust password might have been changed. I have
>>> renewed the password manually and replicated to RODC. It did not help.
>>>
>>> net ads testjoin, wbinfo -pt works fine.
>>>
>>> I have seen few posts related to this issue without any solution. Wanted
>>> to
>>> check if anyone else has faced this issue. RODC is running win2k8r2
>>> version.
>>>
>>> Here is the dump(final few) of smbclient command:
>>> ...
>>> NTLMSSP Sign/Seal - Initialising with flags:
>>> Got NTLMSSP neg_flags=0x60088215
>>>    NTLMSSP_NEGOTIATE_UNICODE
>>>    NTLMSSP_REQUEST_TARGET
>>>    NTLMSSP_NEGOTIATE_SIGN
>>>    NTLMSSP_NEGOTIATE_NTLM
>>>    NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>>>    NTLMSSP_NEGOTIATE_NTLM2
>>>    NTLMSSP_NEGOTIATE_128
>>>    NTLMSSP_NEGOTIATE_KEY_EXCH
>>> SPNEGO login failed: Access denied
>>> session setup failed: NT_STATUS_ACCESS_DENIED
>>>
>>> client log:
>>>
>>> [2015/03/12 18:58:04.294165,  5]
>>> auth/token_util.c:527(debug_unix_user_token)
>>>    UNIX token of user 0
>>>    Primary group is 0 and contains 0 supplementary groups
>>> [2015/03/12 18:58:04.630167,  4] smbd/sec_ctx.c:422(pop_sec_ctx)
>>>    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
>>> [2015/03/12 18:58:04.631166, 10]
>>> auth/auth_winbind.c:99(check_winbind_security)
>>>    check_winbind_security: wbcAuthenticateUserEx failed:
>>> WBC_ERR_AUTH_ERROR
>>> [2015/03/12 18:58:04.631166,  5] auth/auth.c:271(check_ntlm_password)
>>>    check_ntlm_password: winbind authentication for user [hthummala]
>>> FAILED
>>> with error NT_STATUS_ACCESS_DENIED
>>> [2015/03/12 18:58:04.631166,  2] auth/auth.c:319(check_ntlm_password)
>>>    check_ntlm_password:  Authentication for user [hthummala] ->
>>> [hthummala]
>>> FAILED with error NT_STATUS_ACCESS_DENIED
>>> [2015/03/12 18:58:04.631166,  3] smbd/error.c:81(error_packet_set)
>>>    error packet at smbd/sesssetup.c(124) cmd=115 (SMBsesssetupX)
>>> NT_STATUS_ACCESS_DENIED
>>> [2015/03/12 18:58:04.631166,  4] smbd/process.c:1589(switch_message)
>>>
>>>
>>> winbindd.log:
>>>
>>> [2015/03/12 18:58:04.628166, 10]
>>> librpc/rpc/dcerpc_helpers.c:865(dcerpc_check_auth)
>>>    Requested Privacy.
>>> [2015/03/12 18:58:04.628166,  6]
>>> ../librpc/rpc/dcerpc_util.c:140(dcerpc_pull_auth_trailer)
>>>    ../librpc/rpc/dcerpc_util.c:140: auth_pad_length 12
>>> [2015/03/12 18:58:04.628166, 10]
>>> librpc/rpc/dcerpc_helpers.c:951(dcerpc_check_auth)
>>>    SCHANNEL auth
>>> [2015/03/12 18:58:04.628166, 10]
>>> rpc_client/cli_pipe.c:437(cli_pipe_validate_current_pdu)
>>>    Got pdu len 120, data_len 20, ss_len 12
>>> [2015/03/12 18:58:04.628166, 10]
>>> rpc_client/cli_pipe.c:882(rpc_api_pipe_got_pdu)
>>>    rpc_api_pipe: got frag len of 120 at offset 0: NT_STATUS_OK
>>> [2015/03/12 18:58:04.628166, 10]
>>> rpc_client/cli_pipe.c:937(rpc_api_pipe_got_pdu)
>>>    rpc_api_pipe: host AD1-BLR.pixel8networks.com returned 20 bytes.
>>> [2015/03/12 18:58:04.628166,  1]
>>> ../librpc/ndr/ndr.c:284(ndr_print_function_debug)
>>>         netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
>>>            out: struct netr_LogonSamLogonEx
>>>                validation               : *
>>>                    validation               : union netr_Validation(case
>>> 6)
>>>                    sam6                     : NULL
>>>                authoritative            : *
>>>                    authoritative            : 0x00 (0)
>>>                flags                    : *
>>>                    flags                    : 0x00000000 (0)
>>>                result                   : NT_STATUS_ACCESS_DENIED
>>> [2015/03/12 18:58:04.629166,  3]
>>> winbindd/winbindd_pam.c:1367(winbind_samlogon_retry_loop)
>>>    winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED.  Maybe
>>> the
>>> trust account password was changed and we didn't know it. Killing
>>> connections to domain DOMAIN1
>>>
>> Does the Windows RODC log anything in it's Eventlog that
>> might help debug ?
>>
>
>

More information about the samba-technical mailing list