Intermittent failure to authenticate using NTLM with NT_STATUS_ACCESS_DENIED
Stefan Metzmacher
metze at samba.org
Sun Nov 15 11:55:04 UTC 2015
Am 12.11.2015 um 14:21 schrieb Stefan Metzmacher:
> Hi Richard,
>
>>>>> We are intermittently seeing NTLM auth failing with
>>>>> NT_STATUS_ACCESS_DENIED and we see this message in winbindd.log:
>>>>>
>>>>> [2015/10/08 15:34:33.393987, 3, pid=3549, effective(0, 0), real(0,
>>>>> 0), class=winbind]
>>>>> ../source3/winbindd/winbindd_pam.c:1426(winbind_samlogon_retry_loop)
>>>>> winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED.
>>>>> Maybe the trust account password was changed and we didn't know it.
>>>>> Killing connections to domain SOMEDOM
>>>>>
>>>>> Now, the real reason seems to be that one of the DCs in that domain
>>>>> disallows NTLM authentication and whenever winbindd finds that DC we
>>>>> get this problem.
>>>>>
>>>>> Is there some way to tell Windindd not to use that DC?
>>>>>
>>>>> Also, I notice that in some instances in winbind_samlogon_retry_loop
>>>>> we move to another DC but not in this case. We simply retry with the
>>>>> same DC.
>>>>>
>>>>> I suspect that we should move to another DC in this case as well.
>>>>>
>>>>> Any comments?
>>>>
>>>> Yep - getting ACCESS_DENIED should certainly trigger adding
>>>> the DC to the negative connection cache.
>>>
>>> But not an the first failure!
>>
>> Hmmm, why not. If it is returning ACCESS_DENIED either someone has
>> changed the machine account password without telling us or that DC
>> does not like NTLM passthrough ...
>
> I'd assume that we need to distinguish between ACCESS_DENIED in response
> to a netr_ServerAuthenticate*() where we could be rejected because
> of a changed machine password (verify unlikely to happen) and other calls.
>
> If other calls return ACCESS_DENIED (which can happen if the dc restarts)
> we need to destroy the connection and netlogon_creds_cli.tdb entry and
> reauthenticate.
>
> The question is which request returns ACCESS_DENIED in the situation
> where the DC rejects NTLM authentication.
>
> Do we have a capture and level 10 logs?
[MS-APDS] and [MS-NLMP] contain STATUS_NTLM_BLOCKED, I'm wondering
why we don't get that instead of STATUS_ACCESS_DENIED...
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151115/f7260864/signature.sig>
More information about the samba-technical
mailing list