NTLM authentication with onsite RODC failing with NT_STATUS_NO_TRUST_SAM_ACCOUNT.

Hemanth Thummala hemanth.thummala at nutanix.com
Fri Nov 4 19:56:30 UTC 2016


Hi Everyone,

We are using samba 4.3.11 stack. And currently facing issues in getting the NTLM working while communicating to onsite Read Only Domain Controller.

Over the wire, I see that NetrServerAuthenticate3 request is actually getting failed.

1248 7.931418 xx.xx.xx.xx yy.yy.yy.yy RPC_NETLOGON 402 NetrServerAuthenticate3 request
1249 7.931908 yy.yy.yy.yy xx.xx.xx.xx RPC_NETLOGON 226 NetrServerAuthenticate3 response, STATUS_NO_TRUST_SAM_ACCOUNT

Not really sure whats going wrong with this request. Authentication going through fine as soon as the node started communicating to the writable DC in the same site.

Also the same thing happens when I run the winbindd trust check.


$ sudo wbinfo -t

checking the trust secret for domain AUTOMATION_NB via RPC calls failed

wbcCheckTrustCredentials(AUTOMATION_NB): error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b)

failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR

Could not check secret


[MS-NRPC](Netlogon Remote protocol) spec says the following could be the reason for this error.

"The security database on the server does not have a computer account for this workstation trust relationship”

- But we have made sure that join status is good. Infact, I have re-joined the node to domain and also made sure that there were in no previous stale instances.

And the reason for NetrServerAuthenticate3 failure with this error:

"The server MUST compute or retrieve the NTOWFv1 (as specified in NTLM v1 Authentication in [MS- NLMP] section 3.3.1) of the client computer password and use it to compute a session key, as described in section 3.1.4.3. If the server cannot compute or retrieve the NTOWFv1 of the client computer password, it MUST return STATUS_NO_TRUST_SAM_ACCOUNT."

 - This seems the basic client credentials validation failure. Windows server version for RODC is running win2k12r2. Not sure if the issue is specific to the version.

Here is the log snippets from various logs for this issue while:

Client.log:
…

[2016/11/04 12:21:53.554915, 10, pid=21508, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth_winbind.c:105(check_winbind_security)

  check_winbind_security: wbcAuthenticateUserEx failed: WBC_ERR_AUTH_ERROR

[2016/11/04 12:21:53.554924,  5, pid=21508, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)

  check_ntlm_password: winbind authentication for user [administrator] FAILED with error NT_STATUS_NO_TRUST_SAM_ACCOUNT

[2016/11/04 12:21:53.554937,  2, pid=21508, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)

  check_ntlm_password:  Authentication for user [administrator] -> [administrator] FAILED with error NT_STATUS_NO_TRUST_SAM_ACCOUNT

[2016/11/04 12:21:53.554945,  5, pid=21508, effective(0, 0), real(0, 0)] ../source3/auth/auth_ntlmssp.c:188(auth3_check_password)

  Checking NTLMSSP password for AUTOMATION_NB\administrator failed: NT_STATUS_NO_TRUST_SAM_ACCOUNT

[2016/11/04 12:21:53.554955,  5, pid=21508, effective(0, 0), real(0, 0)] ../auth/ntlmssp/ntlmssp_server.c:737(ntlmssp_server_check_password)

  ../auth/ntlmssp/ntlmssp_server.c:737: Checking NTLMSSP password for AUTOMATION_NB\administrator failed: NT_STATUS_NO_TRUST_SAM_ACCOUNT

[2016/11/04 12:21:53.554967,  2, pid=21508, effective(0, 0), real(0, 0)] ../auth/gensec/spnego.c:716(gensec_spnego_server_negTokenTarg)

  SPNEGO login failed: NT_STATUS_NO_TRUST_SAM_ACCOUNT

…
Winbindd log:
…

[2016/11/04 12:22:44.469928, 10, pid=17781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:731(process_request)

  process_request: Handling async request 21841:CHECK_MACHACC

[2016/11/04 12:22:44.469947,  1, pid=17781, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)

       wbint_CheckMachineAccount: struct wbint_CheckMachineAccount

          in: struct wbint_CheckMachineAccount

[2016/11/04 12:22:45.809451, 10, pid=17781, effective(0, 0), real(0, 0)] ../source4/lib/messaging/messaging.c:423(imessaging_dgm_recv)

  imessaging_dgm_recv: dst 17781 matches my id: 17781, type=0x40b

[2016/11/04 12:22:45.809502, 10, pid=17781, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:254(messaging_recv_cb)

  messaging_recv_cb: Received message 0x40b len 14 (num_fds:0) from 17802

[2016/11/04 12:22:45.809528, 10, pid=17781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd_cm.c:394(winbind_msg_domain_online)

  Domain AUTOMATION_NB is marked as online now.

[2016/11/04 12:22:45.873070,  1, pid=17781, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)

       wbint_CheckMachineAccount: struct wbint_CheckMachineAccount

          out: struct wbint_CheckMachineAccount

              result                   : NT_STATUS_NO_TRUST_SAM_ACCOUNT

[2016/11/04 12:22:45.873130, 10, pid=17781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:793(wb_request_done)

  wb_request_done[21841:CHECK_MACHACC]: NT_STATUS_NO_TRUST_SAM_ACCOUNT

[2016/11/04 12:22:45.873162, 10, pid=17781, effective(0, 0), real(0, 0), class=winbind] ../source3/winbindd/winbindd.c:861(winbind_client_response_written)

  winbind_client_response_written[21841:CHECK_MACHACC]: delivered response to client

…


Log.wb-AUTOMATION_NB

…

[2016/11/04 12:22:59.851451,  1, pid=17802, effective(0, 0), real(0, 0)] ../librpc/ndr/ndr.c:439(ndr_print_function_debug)

       netr_ServerAuthenticate3: struct netr_ServerAuthenticate3

          out: struct netr_ServerAuthenticate3

              return_credentials       : *

                  return_credentials: struct netr_Credential

                      data                     : 0000000000000000

              negotiate_flags          : *

                  negotiate_flags          : 0x610fffff (1628438527)


              rid                      : *

                  rid                      : 0x00000000 (0)

              result                   : NT_STATUS_NO_TRUST_SAM_ACCOUNT


…



Any help would be much appreciated. Please let me know if anyone likes to get additional logs and captures.


Thanks,

Hemanth.



More information about the samba-technical mailing list