[Samba] NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

Frodogodo drogofodo frodogodo at gmail.com
Thu Feb 24 06:20:49 MST 2011 

Hello list,

    we're trying to use NTLMv2 authentication from Liferay Portal 6.0.5 as
specified in
http://www.liferay.com/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration.
We've created a machine account for it that looks like that:

dn: uid=liferay$,ou=Maquinas,o=global,dc=map,dc=es
sambaNTPassword: 76DBDF27BB32912AD61BC369DB8FEBD8
sambaPwdLastSet: 1298373376
sambaAcctFlags: [W]
displayName: LIFERAY$
sambaSID: S-1-5-21-3860457228-14833263-3247686105-1142
uid: liferay$
cn: liferay$
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: AltAccountMAP
objectClass: sambaSamAccount
.... [ No more interesting attributes ]

But whenever we try to authenticate it fails and we have the following log:

  Primary group is 0 and contains 0 supplementary groups
[2011/02/24 13:52:31, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2011/02/24 13:52:31, 2] auth/auth_sam.c:sam_account_ok(235)
  sam_account_ok: Wksta trust account liferay$ denied by server
[2011/02/24 13:52:31, 5] auth/auth.c:check_ntlm_password(273)
  check_ntlm_password: sam authentication for user [liferay$] FAILED with
error NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
[2011/02/24 13:52:31, 3] auth/auth_winbind.c:check_winbind_security(80)
  check_winbind_security: Not using winbind, requested domain [CLUSTER_WG]
was for this SAM.
[2011/02/24 13:52:31, 2] auth/auth.c:check_ntlm_password(319)
  check_ntlm_password:  Authentication for user [liferay$] -> [liferay$]
FAILED with error NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
[2011/02/24 13:52:31, 5] auth/auth_util.c:free_user_info(2045)
  attempting to free (and zero) a user_info structure
[2011/02/24 13:52:31, 3] smbd/error.c:error_packet_set(106)
  error packet at smbd/sesssetup.c(1489) cmd=115 (SMBsesssetupX)
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
[2011/02/24 13:52:31, 5] lib/util.c:show_msg(484)
[2011/02/24 13:52:31, 5] lib/util.c:show_msg(494)

Any idea why are we getting NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT ?
What does exactly does it mean ? Any clue about how to fix it ?

In the product documentation it's said this account should be a Service
Account but in the samba
HOWTO I don't find anything relevant, is it provided through the workstation
account ?

We're using Samba 3.0.26a with LDAP backend

More information about the samba mailing list