[Samba] NT_STATUS_ACCESS_DENIED with winbindd authentication

David Girard DGirard at lason.com
Wed Apr 6 16:10:08 GMT 2005 

Jerry, Sridhar:

Is there any chance that this problem could be related to the one that I am having with multiple connections failing?

The difference that I see with this problem and my problem is that mine occurs no matter what type of authentication I'm using...even local...

Could this be a problem higher up in the process?

_David

>>> Sridhar Venkatakrishnan <sridharvnkt at gmail.com> 4/6/2005 1:04:39 AM >>>
Hi, 

> Why do you think this iks the source of your problem? That aspect
> of you post is unclear to me.

 What is currently happening is this:

I try to access a print share multiple times, by running 
smbclient //PRINTSERVER/sharename -UDOMAIN\\username%password -c "ls" 
repeatedly. I do this to provide a rough simulation of heavy load on the 
print server . 

For some of the access's the following shows up in the winbindd logs :

[2005/04/06 09:57:41, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(556)
 winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe the trust 
account password was changed and we didn't know it. Killing connections to 
domain DOMAIN

I looked at the code, and what seems to be happening is this:

winbindd tries a sam_logon and the DC returns NT_STATUS_ACCESS_DENIED ( or 
samba thinks the DC returned NT_STATUS_ACCESS_DENIED) after which winbindd 
re-tries the sam logon. In most cases the retry succeeds, however, it 
occasionally fails. When this happens, the winbindd authentication fails and 
the user gets an NT_STATUS_ACCESS_DENIED to the print share.

What has me confused is this : Why should the DC return 
NT_STATUS_ACCESS_DENIED for a sam logon? The trust account password hasnt 
been changed and I can't think of any other reasons.

I had a cursory look at the rpc_api_pipe_req function in 
rpc_client/cli_pipe.c and figured out that the netsec (schannel) algorithm 
was being used for the encoding of the challenge/response. I don't know too 
much about the NTLM authentication protocol and so I'm still trying to 
figure out if its a configuration problem with our DC or something else.

(Jerry - Sorry about the duplicate mail to you )

Thanks,
Sridhar
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list