Intermittent failure to authenticate using NTLM with NT_STATUS_ACCESS_DENIED

Stefan Metzmacher metze at
Thu Nov 12 13:21:26 UTC 2015

Hi Richard,

>>>> We are intermittently seeing NTLM auth failing with
>>>> NT_STATUS_ACCESS_DENIED and we see this message in winbindd.log:
>>>> [2015/10/08 15:34:33.393987,  3, pid=3549, effective(0, 0), real(0,
>>>> 0), class=winbind]
>>>> ../source3/winbindd/winbindd_pam.c:1426(winbind_samlogon_retry_loop)
>>>>   winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED.
>>>> Maybe the trust account password was changed and we didn't know it.
>>>> Killing connections to domain SOMEDOM
>>>> Now, the real reason seems to be that one of the DCs in that domain
>>>> disallows NTLM authentication and whenever winbindd finds that DC we
>>>> get this problem.
>>>> Is there some way to tell Windindd not to use that DC?
>>>> Also, I notice that in some instances in winbind_samlogon_retry_loop
>>>> we move to another DC but not in this case. We simply retry with the
>>>> same DC.
>>>> I suspect that we should move to another DC in this case as well.
>>>> Any comments?
>>> Yep - getting  ACCESS_DENIED should certainly trigger adding
>>> the DC to the negative connection cache.
>> But not an the first failure!
> Hmmm, why not. If it is returning ACCESS_DENIED either someone has
> changed the machine account password without telling us or that DC
> does not like NTLM passthrough ...

I'd assume that we need to distinguish between ACCESS_DENIED in response
to a netr_ServerAuthenticate*() where we could be rejected because
of a changed machine password (verify unlikely to happen) and other calls.

If other calls return ACCESS_DENIED (which can happen if the dc restarts)
we need to destroy the connection and netlogon_creds_cli.tdb entry and

The question is which request returns ACCESS_DENIED in the situation
where the DC rejects NTLM authentication.

Do we have a capture and level 10 logs?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list