Intermittent failure to authenticate using NTLM with NT_STATUS_ACCESS_DENIED
Jeremy Allison
jra at samba.org
Thu Oct 8 23:19:07 UTC 2015
On Thu, Oct 08, 2015 at 04:11:19PM -0700, Richard Sharpe wrote:
> Hi folks,
>
> We are intermittently seeing NTLM auth failing with
> NT_STATUS_ACCESS_DENIED and we see this message in winbindd.log:
>
> [2015/10/08 15:34:33.393987, 3, pid=3549, effective(0, 0), real(0,
> 0), class=winbind]
> ../source3/winbindd/winbindd_pam.c:1426(winbind_samlogon_retry_loop)
> winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED.
> Maybe the trust account password was changed and we didn't know it.
> Killing connections to domain SOMEDOM
>
> Now, the real reason seems to be that one of the DCs in that domain
> disallows NTLM authentication and whenever winbindd finds that DC we
> get this problem.
>
> Is there some way to tell Windindd not to use that DC?
>
> Also, I notice that in some instances in winbind_samlogon_retry_loop
> we move to another DC but not in this case. We simply retry with the
> same DC.
>
> I suspect that we should move to another DC in this case as well.
>
> Any comments?
Yep - getting ACCESS_DENIED should certainly trigger adding
the DC to the negative connection cache.
More information about the samba-technical
mailing list