NTLM authentication with onsite RODC failing with NT_STATUS_NO_TRUST_SAM_ACCOUNT.

Jeremy Allison jra at samba.org
Fri Nov 4 21:36:36 UTC 2016


On Fri, Nov 04, 2016 at 07:56:30PM +0000, Hemanth Thummala wrote:
> Hi Everyone,
> 
> We are using samba 4.3.11 stack. And currently facing issues in getting the NTLM working while communicating to onsite Read Only Domain Controller.
> 
> Over the wire, I see that NetrServerAuthenticate3 request is actually getting failed.
> 
> 1248 7.931418 xx.xx.xx.xx yy.yy.yy.yy RPC_NETLOGON 402 NetrServerAuthenticate3 request
> 1249 7.931908 yy.yy.yy.yy xx.xx.xx.xx RPC_NETLOGON 226 NetrServerAuthenticate3 response, STATUS_NO_TRUST_SAM_ACCOUNT

STATUS_NO_TRUST_SAM_ACCOUNT means the DC can't find the account associated
with this machine. If you query the RODC do you see the computer account
for the Samba server listed in the computers ?

> Not really sure whats going wrong with this request. Authentication going through fine as soon as the node started communicating to the writable DC in the same site.
> 
> Also the same thing happens when I run the winbindd trust check.
> 
> 
> $ sudo wbinfo -t
> 
> checking the trust secret for domain AUTOMATION_NB via RPC calls failed
> 
> wbcCheckTrustCredentials(AUTOMATION_NB): error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b)
> 
> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
> 
> Could not check secret
> 
> 
> [MS-NRPC](Netlogon Remote protocol) spec says the following could be the reason for this error.
> 
> "The security database on the server does not have a computer account for this workstation trust relationship”
> 
> - But we have made sure that join status is good. Infact, I have re-joined the node to domain and also made sure that there were in no previous stale instances.

Check on the RODC directly. Ensure it's really there.

> And the reason for NetrServerAuthenticate3 failure with this error:
> 
> "The server MUST compute or retrieve the NTOWFv1 (as specified in NTLM v1 Authentication in [MS- NLMP] section 3.3.1) of the client computer password and use it to compute a session key, as described in section 3.1.4.3. If the server cannot compute or retrieve the NTOWFv1 of the client computer password, it MUST return STATUS_NO_TRUST_SAM_ACCOUNT."
> 
>  - This seems the basic client credentials validation failure. Windows server version for RODC is running win2k12r2. Not sure if the issue is specific to the version.
> 
> Here is the log snippets from various logs for this issue while:

Our client logs won't tell you much - it is an error on the DC
side. What do the event logs on the RODC being contacted say ?



More information about the samba-technical mailing list