samba - Apr 2005 - NT_STATUS_ACCESS_DENIED with winbindd authentication

Hi, 

We're running a print server having the following specifications:

 Samba 3.0.11 
 Suse 9.1 
 Kernel 2.6.5-7.108 kernel

A few days back none of the users were able to log onto the print
server. The debug 10 logs show the following lines:

[2005/03/29 11:21:05, 5] auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: winbind authentication for user [**user-name**]
FAILED with error NT_STATUS_ACCESS_DENIED

Does anyone have any ideas about why winbindd would throw up an ACCESS_DENIED?

Thanks
Sridhar

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sridhar Venkatakrishnan wrote:
| Hi,
|
| We're running a print server having the following specifications:
|
|  Samba 3.0.11
|  Suse 9.1
|  Kernel 2.6.5-7.108 kernel
|
| A few days back none of the users were able to log onto the print
| server. The debug 10 logs show the following lines:
|
| [2005/03/29 11:21:05, 5] auth/auth.c:check_ntlm_password(271)
|   check_ntlm_password: winbind authentication for user [**user-name**]
| FAILED with error NT_STATUS_ACCESS_DENIED
|
| Does anyone have any ideas about why winbindd would throw up
| an ACCESS_DENIED?

Is you DC a Windows 2003 SP1 box ?  Are you using
'security = domain' ?  If so this is a known issue we are still
investigating.





cheers, jerry
====================================================================Alleviating
the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCUV0dIR7qMdg1EfYRAkn7AKCG2B6lNUR1qFPflyOpsTQnFJtnsACffisJ
dE7kBevU2iV1MibVEyBGu9A=TZfy
-----END PGP SIGNATURE-----

Hi, 
> Why do you think this iks the source of your problem? That aspect
> of you post is unclear to me.
 What is currently happening is this:

I try to access a print share multiple times, by running 
smbclient //PRINTSERVER/sharename -UDOMAIN\\username%password -c "ls" 
repeatedly. I do this to provide a rough simulation of heavy load on the 
print server . 

For some of the access's the following shows up in the winbindd logs :

[2005/04/06 09:57:41, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(556)
 winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe the trust 
account password was changed and we didn't know it. Killing connections to 
domain DOMAIN

I looked at the code, and what seems to be happening is this:

winbindd tries a sam_logon and the DC returns NT_STATUS_ACCESS_DENIED ( or 
samba thinks the DC returned NT_STATUS_ACCESS_DENIED) after which winbindd 
re-tries the sam logon. In most cases the retry succeeds, however, it 
occasionally fails. When this happens, the winbindd authentication fails and 
the user gets an NT_STATUS_ACCESS_DENIED to the print share.

What has me confused is this : Why should the DC return 
NT_STATUS_ACCESS_DENIED for a sam logon? The trust account password hasnt 
been changed and I can't think of any other reasons.

I had a cursory look at the rpc_api_pipe_req function in 
rpc_client/cli_pipe.c and figured out that the netsec (schannel) algorithm 
was being used for the encoding of the challenge/response. I don't know too 
much about the NTLM authentication protocol and so I'm still trying to 
figure out if its a configuration problem with our DC or something else.

(Jerry - Sorry about the duplicate mail to you )

Thanks,
Sridhar

Jerry, Sridhar:

Is there any chance that this problem could be related to the one that I am
having with multiple connections failing?

The difference that I see with this problem and my problem is that mine occurs
no matter what type of authentication I'm using...even local...

Could this be a problem higher up in the process?

_David
>>> Sridhar Venkatakrishnan <sridharvnkt@gmail.com> 4/6/2005
1:04:39 AM >>>
Hi, 
> Why do you think this iks the source of your problem? That aspect
> of you post is unclear to me.
 What is currently happening is this:

I try to access a print share multiple times, by running 
smbclient //PRINTSERVER/sharename -UDOMAIN\\username%password -c "ls" 
repeatedly. I do this to provide a rough simulation of heavy load on the 
print server . 

For some of the access's the following shows up in the winbindd logs :

[2005/04/06 09:57:41, 3] nsswitch/winbindd_pam.c:winbindd_pam_auth_crap(556)
 winbindd_pam_auth_crap: sam_logon returned ACCESS_DENIED. Maybe the trust 
account password was changed and we didn't know it. Killing connections to 
domain DOMAIN

I looked at the code, and what seems to be happening is this:

winbindd tries a sam_logon and the DC returns NT_STATUS_ACCESS_DENIED ( or 
samba thinks the DC returned NT_STATUS_ACCESS_DENIED) after which winbindd 
re-tries the sam logon. In most cases the retry succeeds, however, it 
occasionally fails. When this happens, the winbindd authentication fails and 
the user gets an NT_STATUS_ACCESS_DENIED to the print share.

What has me confused is this : Why should the DC return 
NT_STATUS_ACCESS_DENIED for a sam logon? The trust account password hasnt 
been changed and I can't think of any other reasons.

I had a cursory look at the rpc_api_pipe_req function in 
rpc_client/cli_pipe.c and figured out that the netsec (schannel) algorithm 
was being used for the encoding of the challenge/response. I don't know too 
much about the NTLM authentication protocol and so I'm still trying to 
figure out if its a configuration problem with our DC or something else.

(Jerry - Sorry about the duplicate mail to you )

Thanks,
Sridhar
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Hi, 

I was able to stop the nasty ACCESS_DENIED errors in the winbindd logs by 
setting 

client schannel = no

in the smb.conf file. Is it possible that this is related to the Windows 
2003 sp1 problem ? ( even though our DC is NT4 SP6 ) 

Sridhar