[Samba] NT_STATUS_ACCESS_DENIED with winbindd authentication

Tue Apr 5 13:59:20 GMT 2005

I looked at the code in nsswitch/winbindd_pam.c, specifically in the 
winbindd_pam_auth_crap function. and this section of code looks like it 
might be where the problem lies:

<snip>

do {
ZERO_STRUCT(info3);
ZERO_STRUCT(ret_creds);
retry = False;

/* Don't shut this down - it belongs to the connection cache code */
result = cm_get_netlogon_cli(contact_domain, trust_passwd, sec_channel_type, 
False, &cli);

if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n",
nt_errstr(result)));
goto done;
}

result = cli_netlogon_sam_network_logon(cli, mem_ctx,
&ret_creds,
name_user, name_domain,
workstation,
state->request.data.auth_crap.chal, 
lm_resp, nt_resp, 
&info3);

attempts += 1;

/* We have to try a second time as cm_get_netlogon_cli
might not yet have noticed that the DC has killed
our connection. */

if ( cli->fd == -1 ) {
retry = True;
continue;
} 

/* if we get access denied, a possible cause was that we had and open
connection to the DC, but someone changed our machine account password
out from underneath us using 'net rpc changetrustpw' */

if ( NT_STATUS_V(result) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) ) {
DEBUG(3,("winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe 
the trust account "
"password was changed and we didn't know it. Killing connections to domain 
%s\n",
contact_domain->name));
winbindd_cm_flush();
retry = True;
cli = NULL;
} 

} while ( (attempts < 2) && retry );

<snip>

( sorry about the formatting )

The winbindd logs report that the sam_logon returned ACCESS_DENIED and that 
the connections to the domain are being killed, after which the sam_logon is 
retried. This re-try seems to succeed in most cases, but my guess is that it 
fails occasionally. 

Thanks in advance for your time and interest

Sridhar

On Apr 4, 2005 10:22 PM, Sridhar Venkatakrishnan <sridharvnkt at gmail.com> 
wrote:
> Our DC is an NT4 SP6 box. I haven't been able to reproduce this
> problem reliably, but if I keep trying to access a printer share, the
> operations time out occasionally.
> 
> Thanks
> Sridhar
> 
> On Apr 4, 2005 8:28 AM, Gerald (Jerry) Carter <jerry at samba.org> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Sridhar Venkatakrishnan wrote:
> > | Hi,
> > |
> > | We're running a print server having the following specifications:
> > |
> > | Samba 3.0.11
> > | Suse 9.1
> > | Kernel 2.6.5-7.108 kernel
> > |
> > | A few days back none of the users were able to log onto the print
> > | server. The debug 10 logs show the following lines:
> > |
> > | [2005/03/29 11:21:05, 5] auth/auth.c:check_ntlm_password(271)
> > | check_ntlm_password: winbind authentication for user [**user-name**]
> > | FAILED with error NT_STATUS_ACCESS_DENIED
> > |
> > | Does anyone have any ideas about why winbindd would throw up
> > | an ACCESS_DENIED?
> >
> > Is you DC a Windows 2003 SP1 box ? Are you using
> > 'security = domain' ? If so this is a known issue we are still
> > investigating.
> >
> > cheers, jerry
> > =====================================================================
> > Alleviating the pain of Windows(tm) ------- http://www.samba.org
> > GnuPG Key ----- http://www.plainjoe.org/gpg_public.asc
> > "I never saved anything for the swim back." Ethan Hawk in Gattaca
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.5 (GNU/Linux)
> > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> >
> > iD8DBQFCUV0dIR7qMdg1EfYRAkn7AKCG2B6lNUR1qFPflyOpsTQnFJtnsACffisJ
> > dE7kBevU2iV1MibVEyBGu9A=
> > =TZfy
> > -----END PGP SIGNATURE-----
> >
>