samba - Sep 2014 - fillup_password_policy fails with NT_STATUS_ACCESS_DENIED, samba 3.4.3

Hi,

I'm getting below error with "fillup_password_policy" while
authenticating
users from default domain.


[2014/09/30 03:15:26, 10] rpc_client/cli_pipe.c:1432(rpc_api_pipe_got_pdu)
  rpc_api_pipe: host dev003.namdev.myserv.net returned 16 bytes.
[2014/09/30 03:15:26,  1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
       samr_QueryDomainInfo: struct samr_QueryDomainInfo
          out: struct samr_QueryDomainInfo
              info                     : *
                  info                     : NULL
              result                   : NT_STATUS_ACCESS_DENIED
[2014/09/30 03:15:26, 10]
winbindd/winbindd_cache.c:492(refresh_sequence_number)
  refresh_sequence_number: NAMDEV time ok
[2014/09/30 03:15:26, 10]
winbindd/winbindd_cache.c:537(refresh_sequence_number)
  refresh_sequence_number: NAMDEV seq number is now 100149701
[2014/09/30 03:15:26, 10]
winbindd/winbindd_pam.c:1713(winbindd_dual_pam_auth)
  Failed to get password policies for domain NAMDEV: NT_STATUS_ACCESS_DENIED
[2014/09/30 03:15:26,  2]
winbindd/winbindd_pam.c:1733(winbindd_dual_pam_auth)
  Plain-text authentication for user namdev\user74 returned
NT_STATUS_ACCESS_DENIED (PAM: 4)

Is there way to workaround to not fetch password policies? if not, what
could be the corresponding setting on AD side which can be tweaked to
resolved access denied issue?

Appreciate any help in this regard. Let me know if require more information.

Thanks,
-Kiran

Anyone?
Also if someone could point way to get further logging.

Got above logs with below settings added to global section in smb.conf.

        log file = /var/log/samba/%m.log
        log level = 10
        max log size = 0

Thanks,
-Kiran

On Tue, Sep 30, 2014 at 11:40 AM, Kiran Patil <kiran.dpatil at gmail.com>
wrote:
> Hi,
>
> I'm getting below error with "fillup_password_policy" while
authenticating
> users from default domain.
>
>
> [2014/09/30 03:15:26, 10] rpc_client/cli_pipe.c:1432(rpc_api_pipe_got_pdu)
>   rpc_api_pipe: host dev003.namdev.myserv.net returned 16 bytes.
> [2014/09/30 03:15:26,  1] ../librpc/ndr/ndr.c:251(ndr_print_function_debug)
>        samr_QueryDomainInfo: struct samr_QueryDomainInfo
>           out: struct samr_QueryDomainInfo
>               info                     : *
>                   info                     : NULL
>               result                   : NT_STATUS_ACCESS_DENIED
> [2014/09/30 03:15:26, 10]
> winbindd/winbindd_cache.c:492(refresh_sequence_number)
>   refresh_sequence_number: NAMDEV time ok
> [2014/09/30 03:15:26, 10]
> winbindd/winbindd_cache.c:537(refresh_sequence_number)
>   refresh_sequence_number: NAMDEV seq number is now 100149701
> [2014/09/30 03:15:26, 10]
> winbindd/winbindd_pam.c:1713(winbindd_dual_pam_auth)
>   Failed to get password policies for domain NAMDEV:
> NT_STATUS_ACCESS_DENIED
> [2014/09/30 03:15:26,  2]
> winbindd/winbindd_pam.c:1733(winbindd_dual_pam_auth)
>   Plain-text authentication for user namdev\user74 returned
> NT_STATUS_ACCESS_DENIED (PAM: 4)
>
> Is there way to workaround to not fetch password policies? if not, what
> could be the corresponding setting on AD side which can be tweaked to
> resolved access denied issue?
>
> Appreciate any help in this regard. Let me know if require more
> information.
>
> Thanks,
> -Kiran
>