Confusing message when pass-through auth fails with ACCESS_DENIED
Uri Simchoni
uri at samba.org
Fri Oct 9 21:55:33 UTC 2015
On 10/09/2015 06:43 PM, Richard Sharpe wrote:
> Hi folks,
>
> I think that something like this error message is much better:
>
> --- a/source3/winbindd/winbindd_pam.c
> +++ b/source3/winbindd/winbindd_pam.c
> @@ -1429,7 +1429,8 @@ static NTSTATUS
> winbind_samlogon_retry_loop(struct winbindd_domain *domain,
>
> if ( NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED) ) {
> DEBUG(3,("winbind_samlogon_retry_loop:
> sam_logon returned "
> - "ACCESS_DENIED. Maybe the trust account "
> + "ACCESS_DENIED. Maybe the DC does not allow"
> + " passthrough auth or the trust account "
> "password was changed and we didn't know it. "
> "Killing connections to domain %s\n",
> domainname));
>
> Any comments?
>
I think it's rare enough and significant enough (causes reconnect) for
decreasing the debug level (or use DBG_WARNING ?).
Perhaps the message should include the words "restrict NTLM" ("maybe
NTLM passthrough auth is restricted") because I believe that's what
Microsoft calls it and it would make it easier for someone to google the
workaround.
Uri.
More information about the samba-technical
mailing list