Intermittent failure to authenticate using NTLM with NT_STATUS_ACCESS_DENIED
Richard Sharpe
realrichardsharpe at gmail.com
Thu Oct 8 23:11:19 UTC 2015
Hi folks,
We are intermittently seeing NTLM auth failing with
NT_STATUS_ACCESS_DENIED and we see this message in winbindd.log:
[2015/10/08 15:34:33.393987, 3, pid=3549, effective(0, 0), real(0,
0), class=winbind]
../source3/winbindd/winbindd_pam.c:1426(winbind_samlogon_retry_loop)
winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED.
Maybe the trust account password was changed and we didn't know it.
Killing connections to domain SOMEDOM
Now, the real reason seems to be that one of the DCs in that domain
disallows NTLM authentication and whenever winbindd finds that DC we
get this problem.
Is there some way to tell Windindd not to use that DC?
Also, I notice that in some instances in winbind_samlogon_retry_loop
we move to another DC but not in this case. We simply retry with the
same DC.
I suspect that we should move to another DC in this case as well.
Any comments?
Also, perhaps we should retry with as many DCs as we can find?
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list