Intermittent failure to authenticate using NTLM with NT_STATUS_ACCESS_DENIED
Stefan Metzmacher
metze at samba.org
Thu Nov 12 13:21:26 UTC 2015
Hi Richard,
>>>> We are intermittently seeing NTLM auth failing with
>>>> NT_STATUS_ACCESS_DENIED and we see this message in winbindd.log:
>>>>
>>>> [2015/10/08 15:34:33.393987, 3, pid=3549, effective(0, 0), real(0,
>>>> 0), class=winbind]
>>>> ../source3/winbindd/winbindd_pam.c:1426(winbind_samlogon_retry_loop)
>>>> winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED.
>>>> Maybe the trust account password was changed and we didn't know it.
>>>> Killing connections to domain SOMEDOM
>>>>
>>>> Now, the real reason seems to be that one of the DCs in that domain
>>>> disallows NTLM authentication and whenever winbindd finds that DC we
>>>> get this problem.
>>>>
>>>> Is there some way to tell Windindd not to use that DC?
>>>>
>>>> Also, I notice that in some instances in winbind_samlogon_retry_loop
>>>> we move to another DC but not in this case. We simply retry with the
>>>> same DC.
>>>>
>>>> I suspect that we should move to another DC in this case as well.
>>>>
>>>> Any comments?
>>>
>>> Yep - getting ACCESS_DENIED should certainly trigger adding
>>> the DC to the negative connection cache.
>>
>> But not an the first failure!
>
> Hmmm, why not. If it is returning ACCESS_DENIED either someone has
> changed the machine account password without telling us or that DC
> does not like NTLM passthrough ...
I'd assume that we need to distinguish between ACCESS_DENIED in response
to a netr_ServerAuthenticate*() where we could be rejected because
of a changed machine password (verify unlikely to happen) and other calls.
If other calls return ACCESS_DENIED (which can happen if the dc restarts)
we need to destroy the connection and netlogon_creds_cli.tdb entry and
reauthenticate.
The question is which request returns ACCESS_DENIED in the situation
where the DC rejects NTLM authentication.
Do we have a capture and level 10 logs?
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151112/33a062c2/signature.sig>
More information about the samba-technical
mailing list