Ashutosh Kamdar
2005-Apr-27 17:32 UTC
[Samba] winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED
Hello,
Specifications of the environment:
Samba 3.0.13 running on Solaris 8. This is configured as a domain member of a
NT4 style PDC. The smb.conf file is provided for details.
Problem definition:
When trying to access the Samba server from a windows machine through network
neighborhood, the system challenges the user for their credentials. On providing
the username/password the system rejects the combination. The Samba logs suggest
that winbind authentication for the user has failed with the error message
NT_STATUS_ACCESS_DENIED. A more detailed log follows. The user has an entry in
/etc/passwd and the NT PDC.
Can someone help me understand what causes the windbind authentication to fail
and report NT_STATUS_ACCESS_DENIED?
Snippet of the error message in the log (log level = 10):
[2005/04/27 06:12:09, 6] param/loadparm.c:lp_file_list_changed(2707)
lp_file_list_changed()
file /usr/local/samba/lib/smb.conf -> /usr/local/samba/lib/smb.conf last
mod_time: Wed Apr 27 06:06:29 2005
[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info_map(224)
make_user_info_map: Mapping user [DOMAINNAME]\[akamdar] from workstation
[ASHUTOSH]
[2005/04/27 06:12:09, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
no entry for trusted domain DOMAINNAME found.
[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info(132)
attempting to make a user_info for akamdar (akamdar)
[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info(142)
making strings for akamdar's user_info struct
[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info(184)
making blobs for akamdar's user_info struct
[2005/04/27 06:12:09, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[DOMAINNAME]\[akamdar]@[ASHUTOSH] with the new password interface
[2005/04/27 06:12:09, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [DOMAINNAME]\[akamdar]@[ASHUTOSH]
[2005/04/27 06:12:09, 5] lib/util.c:dump_data(1995)
[000] D4 E0 B8 07 5D D1 4B FF ....].K.
[2005/04/27 06:12:09, 8] lib/util.c:is_myname(1815)
is_myname("DOMAINNAME") returns 0
[2005/04/27 06:12:09, 6] auth/auth_sam.c:check_samstrict_security(376)
check_samstrict_security: DOMAINNAME is not one of my local names
(ROLE_DOMAIN_MEMBER)
[2005/04/27 06:12:09, 3] smbd/sec_ctx.c:push_sec_ctx(256)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/04/27 06:12:09, 3] smbd/uid.c:push_conn_ctx(365)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/04/27 06:12:09, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/04/27 06:12:09, 5] auth/auth_util.c:debug_nt_user_token(485)
NT user token: (NULL)
[2005/04/27 06:12:09, 5] auth/auth_util.c:debug_unix_user_token(506)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2005/04/27 06:12:09, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/04/27 06:12:09, 5] auth/auth.c:check_ntlm_password(271)
check_ntlm_password: winbind authentication for user [akamdar] FAILED with
error NT_STATUS_ACCESS_DENIED
[2005/04/27 06:12:09, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [akamdar] -> [akamdar] FAILED
with error NT_STATUS_ACCESS_DENIED
[2005/04/27 06:12:09, 5] auth/auth_util.c:free_user_info(1380)
attempting to free (and zero) a user_info structure
[2005/04/27 06:12:09, 6] lib/util_sock.c:write_socket(449)
write_socket(25,112)
[2005/04/27 06:12:09, 6] lib/util_sock.c:write_socket(452)
write_socket(25,112) wrote 112
[2005/04/27 06:12:09, 3] smbd/process.c:timeout_processing(1334)
timeout_processing: End of file from client (client has disconnected).
[2005/04/27 06:12:09, 5] lib/gencache.c:gencache_shutdown(88)
Closing cache file
[2005/04/27 06:12:09, 5] libsmb/namecache.c:namecache_shutdown(79)
namecache_shutdown: netbios namecache closed successfully.
[2005/04/27 06:12:09, 3] smbd/sec_ctx.c:set_sec_ctx(288)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/04/27 06:12:09, 5] auth/auth_util.c:debug_nt_user_token(485)
NT user token: (NULL)
[2005/04/27 06:12:09, 5] auth/auth_util.c:debug_unix_user_token(506)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2005/04/27 06:12:09, 5] smbd/uid.c:change_to_root_user(296)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2005/04/27 06:12:09, 2] smbd/server.c:exit_server(609)
Closing connections
[2005/04/27 06:12:09, 3] smbd/connection.c:yield_connection(69)
Yielding connection to
[2005/04/27 06:12:09, 5] smbd/oplock.c:receive_local_message(107)
receive_local_message: doing select with timeout of 1 ms
[2005/04/27 06:12:09, 3] smbd/server.c:exit_server(652)
Server exit (normal exit)
Snippet of the smb.conf file:
[global]
dns proxy = no
debug timestamp = yes
encrypt passwords = yes
idmap gid = 15000-20000
socket options = TCP_NODELAY
max log size = 1024
password server = PASSWORDSERVER
idmap uid = 15000-20000
security = domain
server string = Samba Server
workgroup = DOMAINNAME
log level = 10
log file = /usr/local/samba/var/log.%m
netbios name = appserver7
load printers = yes
os level = 33
default = share
winbind use default domain = no
Thanks for your time and attention,
Ash
Paul Gienger
2005-Apr-27 17:41 UTC
[Samba] winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED
>[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info_map(224) > make_user_info_map: Mapping user [DOMAINNAME]\[akamdar] from workstation [ASHUTOSH] > >>Snippet of the smb.conf file: > >[global] >workgroup = DOMAINNAME > >Is DOMAINNAME really the name of your NT domain? Have you joined this machine to the domain at all? The log that I left above seems to state that you haven't. -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Systems Architect Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com
Ashutosh Kamdar
2005-Apr-27 17:56 UTC
[Samba] winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED
Hi, DOMAINNAME is not the real name of the domain I am joining. I have sanitized the logs for obvious reasons. DOMAINNAME = the real name of the DOMAIN being joined by the server. How do I check if the samba server has joined the domain or not? The net roc join command suggested by the documentation was executed with the smbd,nmbd stopped and it worked just fine. No errors reported. Out of curiousity, what part of the log suggested that the server hasn't joined the domain? Regards, Ash ------Original Message----- -From: Paul Gienger [mailto:pgienger@ae-solutions.com] -Sent: Wednesday, April 27, 2005 05:40 PM -To: 'Ashutosh Kamdar' -Cc: samba@lists.samba.org -Subject: Re: [Samba] winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED - - ->[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info_map(224) -> make_user_info_map: Mapping user [DOMAINNAME]\[akamdar] from workstation [ASHUTOSH] -> -> - ->Snippet of the smb.conf file: -> ->[global] ->workgroup = DOMAINNAME -> -> -Is DOMAINNAME really the name of your NT domain? - -Have you joined this machine to the domain at all? The log that I left -above seems to state that you haven't. - --- -Paul Gienger Office: 701-281-1884 -Applied Engineering Inc. -Systems Architect Fax: 701-281-1322 -URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com - - - -
John H Terpstra
2005-Apr-27 18:46 UTC
[Samba] winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED
On Wednesday 27 April 2005 11:32, Ashutosh Kamdar wrote:> Hello, > > Specifications of the environment: > Samba 3.0.13 running on Solaris 8. This is configured as a domain member of > a NT4 style PDC. The smb.conf file is provided for details. > > Problem definition: > When trying to access the Samba server from a windows machine through > network neighborhood, the system challenges the user for their credentials. > On providing the username/password the system rejects the combination. The > Samba logs suggest that winbind authentication for the user has failed with > the error message NT_STATUS_ACCESS_DENIED. A more detailed log follows. The > user has an entry in /etc/passwd and the NT PDC.Have you read out documentation? Did you check chapter 7 of the book "Samba-3 by Example"? You can download this from: http://www.samba.org/samba/docs/Samba-Guide.pdf The steps described should work on Solaris just as on Linux (the documented case). Did you join the Samba server to the domain? The process for doing that is: net rpc join -S PDC_name -UAdministrator%password> > Can someone help me understand what causes the windbind authentication to > fail and report NT_STATUS_ACCESS_DENIED? > > Snippet of the error message in the log (log level = 10): > [2005/04/27 06:12:09, 6] param/loadparm.c:lp_file_list_changed(2707) > lp_file_list_changed() > file /usr/local/samba/lib/smb.conf -> /usr/local/samba/lib/smb.conf last > mod_time: Wed Apr 27 06:06:29 2005 > > [2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info_map(224) > make_user_info_map: Mapping user [DOMAINNAME]\[akamdar] from workstation > [ASHUTOSH] [2005/04/27 06:12:09, 5] > libsmb/trustdom_cache.c:trustdom_cache_fetch(184) no entry for trusted > domain DOMAINNAME found.The above line would suggest that you did not join the Samba server to the domain. - John T.
Ashutosh Kamdar
2005-Apr-27 18:59 UTC
[Samba] winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED
Thank you for pointing this out, Paul. I was assuming this to be some sort of cache for previously accesses to machines in the domain. But, I was wrong. The Samba HOW-TO documentation does not say anything specific about configuring winbind while becoming a part of the NT domain. Are there any tools that the group is aware of to test whether the samba server is indeed a domain member? Any help is appreciated. Thanks, Ash ------Original Message----- -From: Paul Gienger [mailto:pgienger@ae-solutions.com] -Sent: Wednesday, April 27, 2005 06:26 PM -To: 'Ashutosh Kamdar' -Cc: samba@lists.samba.org -Subject: Re: [Samba] winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED - - ->DOMAINNAME is not the real name of the domain I am joining. I have sanitized the logs for obvious reasons. -> -Maybe I'm crazily niave, but I'll never understand why things need to be -santized that much... password hashes, sure; real world IP addresses, -you bet; things that don't matter in the world outside of your network, -who cares? Anyway, back to the issue at hand, since we've gotten this -out of the way. - ->How do I check if the samba server has joined the domain or not? The net roc join command suggested by the documentation was executed with the smbd,nmbd stopped and it worked just fine. No errors reported. Out of curiousity, what part of the log suggested that the server hasn't joined the domain? -> -> -Oh, I see I left the wrong line of the log... it was this one: - -[2005/04/27 06:12:09, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184) - no entry for trusted domain DOMAINNAME found. - - -Not being a winbind-runner here, I can't offer much beyond pointing at -the documentation to be sure you've followed all of the steps there to -be sure your setup is sane. - --- -Paul Gienger Office: 701-281-1884 -Applied Engineering Inc. -Systems Architect Fax: 701-281-1322 -URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com - - - -
Maybe Matching Threads
- Authentication failure when accessing Samba server in a NT domain
- Unable to join samba server to a NT4 style domain
- Samba 3.0 PDC on debian linux
- Problem runing Samba 3.0.23d with LDAP on FreeBSD 6.2 sparc64
- trouble joining win xp machines to samba with ldap backend DC