Intermittent failure to authenticate using NTLM with NT_STATUS_ACCESS_DENIED
metze at samba.org
Sun Sep 10 10:01:51 UTC 2017
> We are intermittently seeing NTLM auth failing with
> NT_STATUS_ACCESS_DENIED and we see this message in winbindd.log:
> [2015/10/08 15:34:33.393987, 3, pid=3549, effective(0, 0), real(0,
> 0), class=winbind]
> winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED.
> Maybe the trust account password was changed and we didn't know it.
> Killing connections to domain SOMEDOM
> Now, the real reason seems to be that one of the DCs in that domain
> disallows NTLM authentication and whenever winbindd finds that DC we
> get this problem.
I just come across something similar.
Are you should really sure the disabled NTLM authentication was the
reason here. As far as I remember a DC would return
NT_STATUS_NTLM_BLOCKED instead of NT_STATUS_ACCESS_DENIED in such
See [MS-APDS] 3.1.5 Message Processing Events and Sequencing Rules:
If NTLMServerDomainBlocked == TRUE, the NTLM server SHOULD<7> return
STATUS_NTLM_BLOCKED to the NTLM client.
If the DC is of the resource domain:
* If ResourceDCBlocked == TRUE, and the NTLM server's name is not
equal to any of the DCBlockExceptions server names, the DC SHOULD<8>
If the DC is of the account domain:
* If AccountDCBlocked == TRUE, the APDS server SHOULD<9> return
* If the domainControllerFunctionality attribute
([MS-ADTS] section 126.96.36.199.2.25) returns a value that is >= 6,
the account is not also the NTLM server's account, and the APDS
server determines that an authentication policy setting ([MS-KILE]
section 188.8.131.52) applies, then:
* If AllowedToAuthenticateTo is not NULL, an access check SHOULD<10>
be performed to determine whether the user has the ACL granting
ACTRL_DS_CONTROL_ACCESS ([MS-SAMR] section 184.108.40.206). If the
access check fails, APDS MUST return
The only situation I saw NT_STATUS_ACCESS_DENIED from
NetrLogonSamLogonEx was when the DC was installed correctly
and still had SYSVOLReady = 0. See
And I think this is a situation where we should ban that DC.
Also with our current netlogon_cli_creds.tdb infrastructure
I can't see how we could ever get NT_STATUS_ACCESS_DENIED
from NetrLogonSamLogon[WithFlags]() when using the credential
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the samba-technical