Intermittent failure to authenticate using NTLM with NT_STATUS_ACCESS_DENIED
Stefan Metzmacher
metze at samba.org
Fri Oct 9 04:22:16 UTC 2015
Am 09.10.2015 um 01:19 schrieb Jeremy Allison:
> On Thu, Oct 08, 2015 at 04:11:19PM -0700, Richard Sharpe wrote:
>> Hi folks,
>>
>> We are intermittently seeing NTLM auth failing with
>> NT_STATUS_ACCESS_DENIED and we see this message in winbindd.log:
>>
>> [2015/10/08 15:34:33.393987, 3, pid=3549, effective(0, 0), real(0,
>> 0), class=winbind]
>> ../source3/winbindd/winbindd_pam.c:1426(winbind_samlogon_retry_loop)
>> winbind_samlogon_retry_loop: sam_logon returned ACCESS_DENIED.
>> Maybe the trust account password was changed and we didn't know it.
>> Killing connections to domain SOMEDOM
>>
>> Now, the real reason seems to be that one of the DCs in that domain
>> disallows NTLM authentication and whenever winbindd finds that DC we
>> get this problem.
>>
>> Is there some way to tell Windindd not to use that DC?
>>
>> Also, I notice that in some instances in winbind_samlogon_retry_loop
>> we move to another DC but not in this case. We simply retry with the
>> same DC.
>>
>> I suspect that we should move to another DC in this case as well.
>>
>> Any comments?
>
> Yep - getting ACCESS_DENIED should certainly trigger adding
> the DC to the negative connection cache.
But not an the first failure!
BTW: which Samba version are you using?
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20151009/5ce0691f/signature.sig>
More information about the samba-technical
mailing list