Frodogodo drogofodo
2011-Feb-24 13:20 UTC
[Samba] NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
Hello list, we're trying to use NTLMv2 authentication from Liferay Portal 6.0.5 as specified in http://www.liferay.com/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration. We've created a machine account for it that looks like that: dn: uid=liferay$,ou=Maquinas,o=global,dc=map,dc=es sambaNTPassword: 76DBDF27BB32912AD61BC369DB8FEBD8 sambaPwdLastSet: 1298373376 sambaAcctFlags: [W] displayName: LIFERAY$ sambaSID: S-1-5-21-3860457228-14833263-3247686105-1142 uid: liferay$ cn: liferay$ objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: AltAccountMAP objectClass: sambaSamAccount .... [ No more interesting attributes ] But whenever we try to authenticate it fails and we have the following log: Primary group is 0 and contains 0 supplementary groups [2011/02/24 13:52:31, 3] smbd/sec_ctx.c:pop_sec_ctx(356) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2011/02/24 13:52:31, 2] auth/auth_sam.c:sam_account_ok(235) sam_account_ok: Wksta trust account liferay$ denied by server [2011/02/24 13:52:31, 5] auth/auth.c:check_ntlm_password(273) check_ntlm_password: sam authentication for user [liferay$] FAILED with error NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT [2011/02/24 13:52:31, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [CLUSTER_WG] was for this SAM. [2011/02/24 13:52:31, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [liferay$] -> [liferay$] FAILED with error NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT [2011/02/24 13:52:31, 5] auth/auth_util.c:free_user_info(2045) attempting to free (and zero) a user_info structure [2011/02/24 13:52:31, 3] smbd/error.c:error_packet_set(106) error packet at smbd/sesssetup.c(1489) cmd=115 (SMBsesssetupX) NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT [2011/02/24 13:52:31, 5] lib/util.c:show_msg(484) [2011/02/24 13:52:31, 5] lib/util.c:show_msg(494) Any idea why are we getting NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT ? What does exactly does it mean ? Any clue about how to fix it ? In the product documentation it's said this account should be a Service Account but in the samba HOWTO I don't find anything relevant, is it provided through the workstation account ? We're using Samba 3.0.26a with LDAP backend
On Thu, Feb 24, 2011 at 02:20:49PM +0100, Frodogodo drogofodo wrote:> Hello list, > > we're trying to use NTLMv2 authentication from Liferay Portal 6.0.5 as > specified in > http://www.liferay.com/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration. > We've created a machine account for it that looks like that: > > dn: uid=liferay$,ou=Maquinas,o=global,dc=map,dc=es > sambaNTPassword: 76DBDF27BB32912AD61BC369DB8FEBD8 > sambaPwdLastSet: 1298373376 > sambaAcctFlags: [W] > displayName: LIFERAY$ > sambaSID: S-1-5-21-3860457228-14833263-3247686105-1142 > uid: liferay$ > cn: liferay$ > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > objectClass: AltAccountMAP > objectClass: sambaSamAccount > .... [ No more interesting attributes ] > > But whenever we try to authenticate it fails and we have the following log: > > Primary group is 0 and contains 0 supplementary groups > [2011/02/24 13:52:31, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2011/02/24 13:52:31, 2] auth/auth_sam.c:sam_account_ok(235) > sam_account_ok: Wksta trust account liferay$ denied by serverCan you send a lot more lines above this? Volker Lendecke -- SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen phone: +49-551-370000-0, fax: +49-551-370000-9 AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen
On Thu, 2011-02-24 at 14:20 +0100, Frodogodo drogofodo wrote:> Hello list, > > we're trying to use NTLMv2 authentication from Liferay Portal 6.0.5 as > specified in > http://www.liferay.com/community/wiki/-/wiki/Main/NTLMv2+SSO+Configuration. > We've created a machine account for it that looks like that: > > dn: uid=liferay$,ou=Maquinas,o=global,dc=map,dc=es > sambaNTPassword: 76DBDF27BB32912AD61BC369DB8FEBD8 > sambaPwdLastSet: 1298373376 > sambaAcctFlags: [W] > displayName: LIFERAY$ > sambaSID: S-1-5-21-3860457228-14833263-3247686105-1142 > uid: liferay$ > cn: liferay$ > objectClass: account > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > objectClass: AltAccountMAP > objectClass: sambaSamAccount > .... [ No more interesting attributes ] > > But whenever we try to authenticate it fails and we have the following log: > > Primary group is 0 and contains 0 supplementary groups > [2011/02/24 13:52:31, 3] smbd/sec_ctx.c:pop_sec_ctx(356) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2011/02/24 13:52:31, 2] auth/auth_sam.c:sam_account_ok(235) > sam_account_ok: Wksta trust account liferay$ denied by server > [2011/02/24 13:52:31, 5] auth/auth.c:check_ntlm_password(273) > check_ntlm_password: sam authentication for user [liferay$] FAILED with > error NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT> We're using Samba 3.0.26a with LDAP backendI'm pretty sure this is the issue. We now know that this particular error code should only be returned in very particular circumstances, rather than when any machine account attempts to authenticate to the server with NTLM. If you use a current version of Samba (ie 3.5) this much will work. If you need Samba to be an AD domain controller, then you will need to use Samba4. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
Seemingly Similar Threads
- Setting up samba server
- [3.2.0pre1] net ads join fails with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
- NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
- lxc--sshd
- domain_client_validate: unable to validate password for user MACHINE$ in domain DOMAIN to Domain controller \\DC. Error was NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT