NTLM authentication with onsite RODC failing with NT_STATUS_NO_TRUST_SAM_ACCOUNT.

Fri Nov 4 21:51:11 UTC 2016

Thanks Jeremy.
I am able to fix the issue by adding the machine account to allowed RODC password replication group in Password Replication Policy(PRP) on RODC.

Windows NetLogon event message was very obvious. :-)

"USER ACTION  
If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and ‘TEST_FS1$' is a legitimate machine account for the computer ’TEST_FS1' then ’TEST_FS1' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).”

I am aware that we should always have this PRP policy set for machine account while performing domain join using RODC(I.e pre-create of machine account, etc). Not sure if this is mandatory if we use a writable DC for domain join and later use RODC for authentication purposes.

Thanks,
Hemanth.

On 11/4/16, 2:36 PM, "Jeremy Allison" <jra at samba.org> wrote:

>On Fri, Nov 04, 2016 at 07:56:30PM +0000, Hemanth Thummala wrote:
>> Hi Everyone,
>> 
>> We are using samba 4.3.11 stack. And currently facing issues in getting the NTLM working while communicating to onsite Read Only Domain Controller.
>> 
>> Over the wire, I see that NetrServerAuthenticate3 request is actually getting failed.
>> 
>> 1248 7.931418 xx.xx.xx.xx yy.yy.yy.yy RPC_NETLOGON 402 NetrServerAuthenticate3 request
>> 1249 7.931908 yy.yy.yy.yy xx.xx.xx.xx RPC_NETLOGON 226 NetrServerAuthenticate3 response, STATUS_NO_TRUST_SAM_ACCOUNT
>
>STATUS_NO_TRUST_SAM_ACCOUNT means the DC can't find the account associated
>with this machine. If you query the RODC do you see the computer account
>for the Samba server listed in the computers ?
>
>> Not really sure whats going wrong with this request. Authentication going through fine as soon as the node started communicating to the writable DC in the same site.
>> 
>> Also the same thing happens when I run the winbindd trust check.
>> 
>> 
>> $ sudo wbinfo -t
>> 
>> checking the trust secret for domain AUTOMATION_NB via RPC calls failed
>> 
>> wbcCheckTrustCredentials(AUTOMATION_NB): error code was NT_STATUS_NO_TRUST_SAM_ACCOUNT (0xc000018b)
>> 
>> failed to call wbcCheckTrustCredentials: WBC_ERR_AUTH_ERROR
>> 
>> Could not check secret
>> 
>> 
>> [MS-NRPC](Netlogon Remote protocol) spec says the following could be the reason for this error.
>> 
>> "The security database on the server does not have a computer account for this workstation trust relationship”
>> 
>> - But we have made sure that join status is good. Infact, I have re-joined the node to domain and also made sure that there were in no previous stale instances.
>
>Check on the RODC directly. Ensure it's really there.
>
>> And the reason for NetrServerAuthenticate3 failure with this error:
>> 
>> "The server MUST compute or retrieve the NTOWFv1 (as specified in NTLM v1 Authentication in [MS- NLMP] section 3.3.1) of the client computer password and use it to compute a session key, as described in section 3.1.4.3. If the server cannot compute or retrieve the NTOWFv1 of the client computer password, it MUST return STATUS_NO_TRUST_SAM_ACCOUNT."
>> 
>>  - This seems the basic client credentials validation failure. Windows server version for RODC is running win2k12r2. Not sure if the issue is specific to the version.
>> 
>> Here is the log snippets from various logs for this issue while:
>
>Our client logs won't tell you much - it is an error on the DC
>side. What do the event logs on the RODC being contacted say ?