[Samba] Problems with ntlm_auth and machines accounts

Alejandro Escanero Blanco alejandro.escanero.ext at juntadeandalucia.es
Mon Sep 5 02:23:12 MDT 2011 

I upgrade a samba 3.2.14 to samba 3.6.0 radius server for 802.1x.
I discover that ntlm_auth fails for machines accounts with error: No 
logon workstation trust account

Put winbind in debug with winbindd -F -i -d 10 give:

accepted socket 24
process_request: request fn INTERFACE_VERSION
[20000]: request interface version
winbind_client_response_written[20000:INTERFACE_VERSION]: delivered 
response to client
process_request: request fn WINBINDD_PRIV_PIPE_DIR
[20000]: request location of privileged pipe
winbind_client_response_written[20000:WINBINDD_PRIV_PIPE_DIR]: delivered 
response to client
accepted socket 27
closing socket 24, client exited
process_request: Handling async request 20000:PAM_AUTH_CRAP
[20000]: pam auth crap domain: [DOMAIN] user: machine$
child daemon request 14
child_process_request: request fn AUTH_CRAP
[19561]: pam auth crap domain: DOMAIN user: machine$
attempting to make a user_info for machine$ (machine$)
making strings for machine$'s user_info struct
making blobs for machine$'s user_info struct
made a user_info for machine$ (machine$)
smbldap_search_ext: base => [o=midomain,c=es], filter => 
[(&(uid=machine$)(objectclass=sambaSamAccount))], scope => [2]
init_sam_from_ldap: Entry found for user: machine$
pdb_set_username: setting username machine$, was
pdb_set_domain: setting domain DOMAIN, was
pdb_set_nt_username: setting nt username machine$, was
pdb_set_user_sid_from_string: setting user sid S-1-5-21-x-y-z-403267
pdb_set_user_sid: setting user sid S-1-5-21-x-y-z-403267
attribute sambaPwdLastSet does not exist
attribute sambaLogonTime does not exist
attribute sambaLogoffTime does not exist
attribute sambaKickoffTime does not exist
attribute sambaPwdCanChange does not exist
attribute sambaPwdMustChange does not exist
pdb_set_full_name: setting full name machine$, was
attribute sambaHomeDrive does not exist
pdb_set_dir_drive: setting dir drive , was NULL
attribute sambaHomePath does not exist
pdb_set_homedir: setting home dir , was
attribute sambaLogonScript does not exist
pdb_set_logon_script: setting logon script , was
attribute sambaProfilePath does not exist
pdb_set_profile_path: setting profile path , was
attribute sambaUserWorkstations does not exist
attribute sambaMungedDial does not exist
attribute sambaLMPassword does not exist
attribute sambaBadPasswordCount does not exist
attribute sambaBadPasswordTime does not exist
attribute sambaLogonHours does not exist
Adding cache entry with key = IDMAP/SID2UID/S-1-5-21-x-y-z-403267 and 
timeout = Mon Sep 12 10:11:25 2011
  (604800 seconds ahead)
Adding cache entry with key = IDMAP/UID2SID/5059 and timeout = Mon Sep 
12 10:11:25 2011
  (604800 seconds ahead)
gid 515 -> sid S-1-5-21-x-y-z-515
gid 515 -> sid S-1-5-21-x-y-z-515
do lookup_sid(S-1-5-21-x-y-z-515) for group of user machine$
lookup_sid called for SID 'S-1-5-21-x-y-z-515'
Accepting SID S-1-5-21-x-y-z in level 1
lookup_rids called for domain sid 'S-1-5-21-x-y-z'
smbldap_search_ext: base => [o=users,o=midomain,c=es], filter => 
[(&(objectClass=sambaSamAccount)(|(sambaSid=S-1-5-21-x-y-z-515)))], 
scope => [2]
smbldap_search_ext: base => [o=midomain,c=es], filter => 
[(&(objectClass=sambaGroupMapping)(|(sambaSid=S-1-5-21-x-y-z-515)))], 
scope => [2]
Sid S-1-5-21-x-y-z-515 -> DOMAIN\Domain Computers(2)
Adding cache entry with key = IDMAP/SID2GID/S-1-5-21-x-y-z-515 and 
timeout = Mon Sep 12 10:11:25 2011
  (604800 seconds ahead)
Adding cache entry with key = IDMAP/GID2SID/515 and timeout = Mon Sep 12 
10:11:25 2011
  (604800 seconds ahead)
Looking up login cache for user machine$
No cache entry found
No cache entry, bad count = 0, bad time = 0
pdb_set_username: setting username machine$, was
pdb_set_domain: setting domain DOMAIN, was
pdb_set_nt_username: setting nt username machine$, was
pdb_set_full_name: setting full name machine$, was
pdb_set_homedir: setting home dir , was
pdb_set_dir_drive: setting dir drive , was NULL
pdb_set_logon_script: setting logon script , was
pdb_set_profile_path: setting profile path , was
pdb_set_workstations: setting workstations , was
pdb_set_user_sid: setting user sid S-1-5-21-x-y-z-403267
pdb_set_user_sid_from_rid:
         setting user sid S-1-5-21-x-y-z-403267 from rid 403267
sid S-1-5-21-x-y-z-515 -> gid 515
pdb_set_group_sid: setting group sid S-1-5-21-x-y-z-515
ntlm_password_check: Checking NT MD4 password
sam_account_ok: Checking SMB password for user machine$
logon_hours_ok: user machine$ allowed to logon at this time (Mon Sep  5 
08:11:25 2011
)
sam_account_ok: Wksta trust account machine$ denied by server
check_sam_security failed: NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
Authenticaticating user DOMAIN\machine$ returned 
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
NTLM CRAP authentication for user [DOMAIN]\[machine$] returned 
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (PAM: 9)
Finished processing child request 14
Writing 3496 bytes to parent
wb_request_done[20000:PAM_AUTH_CRAP]: 
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
winbind_client_response_written[20000:PAM_AUTH_CRAP]: delivered response 
to client
closing socket 27, client exited
closing socket 25, client exited


I think the problem is in auth/auth_checksamsec.c line 282:
--> if (!(user_info->logon_parameters & 
MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {

logon_parameters has value 0 and MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT 
has value 8.

The ldap object has not change, is marked like a Workstation and the 
hash is valid.

Anybody knows where is the problem?

Thanks.

-- 
-------------------------
Alejandro Escanero Blanco
Servicio de Informática Sistemas - GISI
Tel:  671 569 262 (769262)
Edificio Empresarial Aljarafe, mod. 36
41940 Tomares (Sevilla)

More information about the samba mailing list