[Samba] NT_STATUS_ACCESS_DENIED with winbindd authentication
Sridhar Venkatakrishnan
sridharvnkt at gmail.com
Wed Apr 6 05:04:39 GMT 2005
Hi,
> Why do you think this iks the source of your problem? That aspect
> of you post is unclear to me.
What is currently happening is this:
I try to access a print share multiple times, by running
smbclient //PRINTSERVER/sharename -UDOMAIN\\username%password -c "ls"
repeatedly. I do this to provide a rough simulation of heavy load on the
print server .
For some of the access's the following shows up in the winbindd logs :
[2005/04/06 09:57:41, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(556)
winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe the trust
account password was changed and we didn't know it. Killing connections to
domain DOMAIN
I looked at the code, and what seems to be happening is this:
winbindd tries a sam_logon and the DC returns NT_STATUS_ACCESS_DENIED ( or
samba thinks the DC returned NT_STATUS_ACCESS_DENIED) after which winbindd
re-tries the sam logon. In most cases the retry succeeds, however, it
occasionally fails. When this happens, the winbindd authentication fails and
the user gets an NT_STATUS_ACCESS_DENIED to the print share.
What has me confused is this : Why should the DC return
NT_STATUS_ACCESS_DENIED for a sam logon? The trust account password hasnt
been changed and I can't think of any other reasons.
I had a cursory look at the rpc_api_pipe_req function in
rpc_client/cli_pipe.c and figured out that the netsec (schannel) algorithm
was being used for the encoding of the challenge/response. I don't know too
much about the NTLM authentication protocol and so I'm still trying to
figure out if its a configuration problem with our DC or something else.
(Jerry - Sorry about the duplicate mail to you )
Thanks,
Sridhar
More information about the samba
mailing list