[Samba] winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED

Ashutosh Kamdar akamdar at gnsi.com
Wed Apr 27 17:32:03 GMT 2005 

Hello,

Specifications of the environment:
Samba 3.0.13 running on Solaris 8. This is configured as a domain member of a NT4 style PDC. The smb.conf file is provided for details.

Problem definition:
When trying to access the Samba server from a windows machine through network neighborhood, the system challenges the user for their credentials. On providing the username/password the system rejects the combination. The Samba logs suggest that winbind authentication for the user has failed with the error message NT_STATUS_ACCESS_DENIED. A more detailed log follows. The user has an entry in /etc/passwd and the NT PDC.

Can someone help me understand what causes the windbind authentication to fail and report NT_STATUS_ACCESS_DENIED?

Snippet of the error message in the log (log level = 10):
[2005/04/27 06:12:09, 6] param/loadparm.c:lp_file_list_changed(2707)
  lp_file_list_changed()
  file /usr/local/samba/lib/smb.conf -> /usr/local/samba/lib/smb.conf  last mod_time: Wed Apr 27 06:06:29 2005

[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info_map(224)
  make_user_info_map: Mapping user [DOMAINNAME]\[akamdar] from workstation [ASHUTOSH]
[2005/04/27 06:12:09, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
  no entry for trusted domain DOMAINNAME found.
[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info(132)
  attempting to make a user_info for akamdar (akamdar)
[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info(142)
  making strings for akamdar's user_info struct
[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info(184)
  making blobs for akamdar's user_info struct
[2005/04/27 06:12:09, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user [DOMAINNAME]\[akamdar]@[ASHUTOSH] with the new password interface
[2005/04/27 06:12:09, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [DOMAINNAME]\[akamdar]@[ASHUTOSH]
[2005/04/27 06:12:09, 5] lib/util.c:dump_data(1995)
  [000] D4 E0 B8 07 5D D1 4B FF                           ....].K.
[2005/04/27 06:12:09, 8] lib/util.c:is_myname(1815)
  is_myname("DOMAINNAME") returns 0
[2005/04/27 06:12:09, 6] auth/auth_sam.c:check_samstrict_security(376)
  check_samstrict_security: DOMAINNAME is not one of my local names (ROLE_DOMAIN_MEMBER)
[2005/04/27 06:12:09, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/04/27 06:12:09, 3] smbd/uid.c:push_conn_ctx(365)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/04/27 06:12:09, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/04/27 06:12:09, 5] auth/auth_util.c:debug_nt_user_token(485)
  NT user token: (NULL)
[2005/04/27 06:12:09, 5] auth/auth_util.c:debug_unix_user_token(506)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2005/04/27 06:12:09, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/04/27 06:12:09, 5] auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: winbind authentication for user [akamdar] FAILED with error NT_STATUS_ACCESS_DENIED
[2005/04/27 06:12:09, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [akamdar] -> [akamdar] FAILED with error NT_STATUS_ACCESS_DENIED
[2005/04/27 06:12:09, 5] auth/auth_util.c:free_user_info(1380)
  attempting to free (and zero) a user_info structure
[2005/04/27 06:12:09, 6] lib/util_sock.c:write_socket(449)
  write_socket(25,112)
[2005/04/27 06:12:09, 6] lib/util_sock.c:write_socket(452)
  write_socket(25,112) wrote 112
[2005/04/27 06:12:09, 3] smbd/process.c:timeout_processing(1334)
  timeout_processing: End of file from client (client has disconnected).
[2005/04/27 06:12:09, 5] lib/gencache.c:gencache_shutdown(88)
  Closing cache file
[2005/04/27 06:12:09, 5] libsmb/namecache.c:namecache_shutdown(79)
  namecache_shutdown: netbios namecache closed successfully.
[2005/04/27 06:12:09, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/04/27 06:12:09, 5] auth/auth_util.c:debug_nt_user_token(485)
  NT user token: (NULL)
[2005/04/27 06:12:09, 5] auth/auth_util.c:debug_unix_user_token(506)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2005/04/27 06:12:09, 5] smbd/uid.c:change_to_root_user(296)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2005/04/27 06:12:09, 2] smbd/server.c:exit_server(609)
  Closing connections
[2005/04/27 06:12:09, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2005/04/27 06:12:09, 5] smbd/oplock.c:receive_local_message(107)
  receive_local_message: doing select with timeout of 1 ms
[2005/04/27 06:12:09, 3] smbd/server.c:exit_server(652)
  Server exit (normal exit)


Snippet of the smb.conf file:

[global]
dns proxy = no
debug timestamp = yes
encrypt passwords = yes
idmap gid = 15000-20000
socket options = TCP_NODELAY
max log size = 1024
password server = PASSWORDSERVER
idmap uid = 15000-20000
security = domain
server string = Samba Server
workgroup = DOMAINNAME
log level = 10
log file = /usr/local/samba/var/log.%m
netbios name = appserver7
load printers = yes
os level = 33
default = share
winbind use default domain = no

Thanks for your time and attention,

Ash

More information about the samba mailing list