Intermittent failure to authenticate using NTLM with NT_STATUS_ACCESS_DENIED

Richard Sharpe realrichardsharpe at gmail.com
Sun Nov 15 15:53:22 UTC 2015


On Sun, Nov 15, 2015 at 3:55 AM, Stefan Metzmacher <metze at samba.org> wrote:
> Am 12.11.2015 um 14:21 schrieb Stefan Metzmacher:
>> Hi Richard,
>>
>>>>>> We are intermittently seeing NTLM auth failing with
>>>>>> NT_STATUS_ACCESS_DENIED and we see this message in winbindd.log:
>>>>>>
>>>>>> [2015/10/08 15:34:33.393987,  3, pid=3549, effective(0, 0), real(0,
>>>>>> 0), class=winbind]
>>>>>> ../source3/winbindd/winbindd_pam.c:1426(winbind_samlogon_retry_loop)
>>>>>>   winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED.
>>>>>> Maybe the trust account password was changed and we didn't know it.
>>>>>> Killing connections to domain SOMEDOM
>>>>>>
>>>>>> Now, the real reason seems to be that one of the DCs in that domain
>>>>>> disallows NTLM authentication and whenever winbindd finds that DC we
>>>>>> get this problem.
>>>>>>
>>>>>> Is there some way to tell Windindd not to use that DC?
>>>>>>
>>>>>> Also, I notice that in some instances in winbind_samlogon_retry_loop
>>>>>> we move to another DC but not in this case. We simply retry with the
>>>>>> same DC.
>>>>>>
>>>>>> I suspect that we should move to another DC in this case as well.
>>>>>>
>>>>>> Any comments?
>>>>>
>>>>> Yep - getting  ACCESS_DENIED should certainly trigger adding
>>>>> the DC to the negative connection cache.
>>>>
>>>> But not an the first failure!
>>>
>>> Hmmm, why not. If it is returning ACCESS_DENIED either someone has
>>> changed the machine account password without telling us or that DC
>>> does not like NTLM passthrough ...
>>
>> I'd assume that we need to distinguish between ACCESS_DENIED in response
>> to a netr_ServerAuthenticate*() where we could be rejected because
>> of a changed machine password (verify unlikely to happen) and other calls.
>>
>> If other calls return ACCESS_DENIED (which can happen if the dc restarts)
>> we need to destroy the connection and netlogon_creds_cli.tdb entry and
>> reauthenticate.
>>
>> The question is which request returns ACCESS_DENIED in the situation
>> where the DC rejects NTLM authentication.
>>
>> Do we have a capture and level 10 logs?
>
> [MS-APDS] and [MS-NLMP] contain STATUS_NTLM_BLOCKED, I'm wondering
> why we don't get that instead of STATUS_ACCESS_DENIED...

This is a good question.

I will have to get QA to repro the problem so I can check this ...
probably early in December is the earliest I can do it though.

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)



More information about the samba-technical mailing list