Intermittent failure to authenticate using NTLM with NT_STATUS_ACCESS_DENIED

Stefan Metzmacher metze at
Sun Nov 15 11:55:04 UTC 2015

Am 12.11.2015 um 14:21 schrieb Stefan Metzmacher:
> Hi Richard,
>>>>> We are intermittently seeing NTLM auth failing with
>>>>> NT_STATUS_ACCESS_DENIED and we see this message in winbindd.log:
>>>>> [2015/10/08 15:34:33.393987,  3, pid=3549, effective(0, 0), real(0,
>>>>> 0), class=winbind]
>>>>> ../source3/winbindd/winbindd_pam.c:1426(winbind_samlogon_retry_loop)
>>>>>   winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED.
>>>>> Maybe the trust account password was changed and we didn't know it.
>>>>> Killing connections to domain SOMEDOM
>>>>> Now, the real reason seems to be that one of the DCs in that domain
>>>>> disallows NTLM authentication and whenever winbindd finds that DC we
>>>>> get this problem.
>>>>> Is there some way to tell Windindd not to use that DC?
>>>>> Also, I notice that in some instances in winbind_samlogon_retry_loop
>>>>> we move to another DC but not in this case. We simply retry with the
>>>>> same DC.
>>>>> I suspect that we should move to another DC in this case as well.
>>>>> Any comments?
>>>> Yep - getting  ACCESS_DENIED should certainly trigger adding
>>>> the DC to the negative connection cache.
>>> But not an the first failure!
>> Hmmm, why not. If it is returning ACCESS_DENIED either someone has
>> changed the machine account password without telling us or that DC
>> does not like NTLM passthrough ...
> I'd assume that we need to distinguish between ACCESS_DENIED in response
> to a netr_ServerAuthenticate*() where we could be rejected because
> of a changed machine password (verify unlikely to happen) and other calls.
> If other calls return ACCESS_DENIED (which can happen if the dc restarts)
> we need to destroy the connection and netlogon_creds_cli.tdb entry and
> reauthenticate.
> The question is which request returns ACCESS_DENIED in the situation
> where the DC rejects NTLM authentication.
> Do we have a capture and level 10 logs?

[MS-APDS] and [MS-NLMP] contain STATUS_NTLM_BLOCKED, I'm wondering
why we don't get that instead of STATUS_ACCESS_DENIED...


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list