Intermittent failure to authenticate using NTLM with NT_STATUS_ACCESS_DENIED

[Uri Simchoni]

On 10/09/2015 11:56 PM, Richard Sharpe wrote:
> On Fri, Oct 9, 2015 at 9:24 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>> OK, so there is a situation where we could get access denied because
>> the machine account password has changed. Let's say we are already
>> connected and someone changes it. In that case we would not want to
>> black-list it, but just connect to another DC.
>>
>> Maybe what I need to do is to increase the retry count to three.
>>
>> However the failure I was seeing seemed to occur on the retry as well,
>> because we found the same DC name again and connected to it.
>>
>> Maybe all I need to do is deprecate that name? Perhaps remove it from
>> gencache ...
> Having stared at that code a lot now, I think the thing to do is call
> saf_delete(domain->name).
>
> This will remove affinity to that name and allow us to try a different DC.
>
> There could still be intermittent successes if there was one server
> that allowed pass through auth while the others didn't.
>
You want saf_delete(domain->alt_name) too, because that's the DNS name 
and that's what counts in DNS searches.

Calling winbind_add_failed_connection_entry() will call saf_delete() for 
you and also blacklist the failed DC. The blacklisting (lasting for one 
minute) is what guarantees that the next attempt will not try this DC.

Once the AD setup is screwed up (inconsistent configuration between 
servers) there's no possibility of a "perfect" behavior on our part - 
perhaps the best we can do is make it easiest to spot - as you point out 
in the log patch.