Confusing message when pass-through auth fails with ACCESS_DENIED

Andrew Bartlett abartlet at samba.org
Fri Oct 9 22:17:51 UTC 2015 

On Sat, 2015-10-10 at 00:55 +0300, Uri Simchoni wrote:
> 
> On 10/09/2015 06:43 PM, Richard Sharpe wrote:
> > Hi folks,
> > 
> > I think that something like this error message is much better:
> > 
> > --- a/source3/winbindd/winbindd_pam.c
> > +++ b/source3/winbindd/winbindd_pam.c
> > @@ -1429,7 +1429,8 @@ static NTSTATUS
> > winbind_samlogon_retry_loop(struct winbindd_domain *domain,
> > 
> >                  if ( NT_STATUS_EQUAL(result,
> > NT_STATUS_ACCESS_DENIED) ) {
> >                          DEBUG(3,("winbind_samlogon_retry_loop:
> > sam_logon returned "
> > -                                "ACCESS_DENIED.  Maybe the trust
> > account "
> > +                                "ACCESS_DENIED.  Maybe the DC does
> > not allow"
> > +                                " passthrough auth or the trust
> > account "
> >                                  "password was changed and we
> > didn't know it. "
> >                                   "Killing connections to domain
> > %s\n",
> >                                  domainname));
> > 
> > Any comments?
> > 
> I think it's rare enough and significant enough (causes reconnect)
> for 
> decreasing the debug level (or use DBG_WARNING ?).
> 
> Perhaps the message should include the words "restrict NTLM" ("maybe 
> NTLM passthrough auth is restricted") because I believe that's what 
> Microsoft calls it and it would make it easier for someone to google
> the 
> workaround.

I'm not aware if it being able to be disabled in this way (and at this
level), but otherwise, I agree. 

Now that metze's work on schannel is in master (and has been since
4.2), this can be moved to a debug 1 or so.  In the past, this could
fire in many more legitimate situations, particularly in a cluster.  We
now understand what the rules are around NETLOGON, and that the
ServerAuthenticate calls change the global (cryptographic) state
between the given netbios names, not just this socket. 

We also avoid calls that use the netlogon credential chaining (the most
common cause of issues here). 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list