[Samba] NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

Mon Mar 7 03:04:06 MST 2011

On Thu, 2011-02-24 at 14:20 +0100, Frodogodo drogofodo wrote:
> Hello list,
> 
>     we're trying to use NTLMv2 authentication from Liferay Portal 6.0.5 as
> specified in
> http://www.liferay.com/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration.
> We've created a machine account for it that looks like that:
> 
> dn: uid=liferay$,ou=Maquinas,o=global,dc=map,dc=es
> sambaNTPassword: 76DBDF27BB32912AD61BC369DB8FEBD8
> sambaPwdLastSet: 1298373376
> sambaAcctFlags: [W]
> displayName: LIFERAY$
> sambaSID: S-1-5-21-3860457228-14833263-3247686105-1142
> uid: liferay$
> cn: liferay$
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> objectClass: AltAccountMAP
> objectClass: sambaSamAccount
> .... [ No more interesting attributes ]
> 
> But whenever we try to authenticate it fails and we have the following log:
> 
>   Primary group is 0 and contains 0 supplementary groups
> [2011/02/24 13:52:31, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2011/02/24 13:52:31, 2] auth/auth_sam.c:sam_account_ok(235)
>   sam_account_ok: Wksta trust account liferay$ denied by server
> [2011/02/24 13:52:31, 5] auth/auth.c:check_ntlm_password(273)
>   check_ntlm_password: sam authentication for user [liferay$] FAILED with
> error NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

> We're using Samba 3.0.26a with LDAP backend

I'm pretty sure this is the issue.  We now know that this particular
error code should only be returned in very particular circumstances,
rather than when any machine account attempts to authenticate to the
server with NTLM. 

If you use a current version of Samba (ie 3.5) this much will work.  If
you need Samba to be an AD domain controller, then you will need to use
Samba4. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.