[Samba] NT_STATUS_ACCESS_DENIED with winbindd authentication

Sridhar Venkatakrishnan sridharvnkt at gmail.com
Wed Apr 6 05:04:39 GMT 2005


> Why do you think this iks the source of your problem? That aspect
> of you post is unclear to me.

 What is currently happening is this:

I try to access a print share multiple times, by running 
smbclient //PRINTSERVER/sharename -UDOMAIN\\username%password -c "ls" 
repeatedly. I do this to provide a rough simulation of heavy load on the 
print server . 

For some of the access's the following shows up in the winbindd logs :

[2005/04/06 09:57:41, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(556)
 winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe the trust 
account password was changed and we didn't know it. Killing connections to 
domain DOMAIN

I looked at the code, and what seems to be happening is this:

winbindd tries a sam_logon and the DC returns NT_STATUS_ACCESS_DENIED ( or 
samba thinks the DC returned NT_STATUS_ACCESS_DENIED) after which winbindd 
re-tries the sam logon. In most cases the retry succeeds, however, it 
occasionally fails. When this happens, the winbindd authentication fails and 
the user gets an NT_STATUS_ACCESS_DENIED to the print share.

What has me confused is this : Why should the DC return 
NT_STATUS_ACCESS_DENIED for a sam logon? The trust account password hasnt 
been changed and I can't think of any other reasons.

I had a cursory look at the rpc_api_pipe_req function in 
rpc_client/cli_pipe.c and figured out that the netsec (schannel) algorithm 
was being used for the encoding of the challenge/response. I don't know too 
much about the NTLM authentication protocol and so I'm still trying to 
figure out if its a configuration problem with our DC or something else.

(Jerry - Sorry about the duplicate mail to you )


More information about the samba mailing list