winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED

Ashutosh Kamdar
Hello,

Specifications of the environment:
Samba 3.0.13 running on Solaris 8. This is configured as a domain member of a NT4 style PDC. The smb.conf file is provided for details.

Problem definition:
When trying to access the Samba server from a windows machine through network neighborhood, the system challenges the user for their credentials. On providing the username/password the system rejects the combination. The Samba logs suggest that winbind authentication for the user has failed with the error message NT_STATUS_ACCESS_DENIED. A more detailed log follows. The user has an entry in /etc/passwd and the NT PDC.

Can someone help me understand what causes the windbind authentication to fail and report NT_STATUS_ACCESS_DENIED?

Snippet of the error message in the log (log level = 10):
[2005/04/27 06:12:09, 6] param/loadparm.c:lp_file_list_changed(2707)
  lp_file_list_changed()
  file /usr/local/samba/lib/smb.conf -> /usr/local/samba/lib/smb.conf  last mod_time: Wed Apr 27 06:06:29 2005

[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info_map(224)
  make_user_info_map: Mapping user [DOMAINNAME]\[akamdar] from workstation [ASHUTOSH]
[2005/04/27 06:12:09, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
  no entry for trusted domain DOMAINNAME found.
[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info(132)
  attempting to make a user_info for akamdar (akamdar)
[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info(142)
  making strings for akamdar's user_info struct
[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info(184)
  making blobs for akamdar's user_info struct
[2005/04/27 06:12:09, 3] auth/auth.c:check_ntlm_password(219)
  check_ntlm_password:  Checking password for unmapped user [DOMAINNAME]\[akamdar]@[ASHUTOSH] with the new password interface
[2005/04/27 06:12:09, 3] auth/auth.c:check_ntlm_password(222)
  check_ntlm_password:  mapped user is: [DOMAINNAME]\[akamdar]@[ASHUTOSH]
[2005/04/27 06:12:09, 5] lib/util.c:dump_data(1995)
  [000] D4 E0 B8 07 5D D1 4B FF                           ....].K.
[2005/04/27 06:12:09, 8] lib/util.c:is_myname(1815)
  is_myname("DOMAINNAME") returns 0
[2005/04/27 06:12:09, 6] auth/auth_sam.c:check_samstrict_security(376)
  check_samstrict_security: DOMAINNAME is not one of my local names (ROLE_DOMAIN_MEMBER)
[2005/04/27 06:12:09, 3] smbd/sec_ctx.c:push_sec_ctx(256)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2005/04/27 06:12:09, 3] smbd/uid.c:push_conn_ctx(365)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2005/04/27 06:12:09, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2005/04/27 06:12:09, 5] auth/auth_util.c:debug_nt_user_token(485)
  NT user token: (NULL)
[2005/04/27 06:12:09, 5] auth/auth_util.c:debug_unix_user_token(506)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2005/04/27 06:12:09, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/04/27 06:12:09, 5] auth/auth.c:check_ntlm_password(271)
  check_ntlm_password: winbind authentication for user [akamdar] FAILED with error NT_STATUS_ACCESS_DENIED
[2005/04/27 06:12:09, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [akamdar] -> [akamdar] FAILED with error NT_STATUS_ACCESS_DENIED
[2005/04/27 06:12:09, 5] auth/auth_util.c:free_user_info(1380)
  attempting to free (and zero) a user_info structure
[2005/04/27 06:12:09, 6] lib/util_sock.c:write_socket(449)
  write_socket(25,112)
[2005/04/27 06:12:09, 6] lib/util_sock.c:write_socket(452)
  write_socket(25,112) wrote 112
[2005/04/27 06:12:09, 3] smbd/process.c:timeout_processing(1334)
  timeout_processing: End of file from client (client has disconnected).
[2005/04/27 06:12:09, 5] lib/gencache.c:gencache_shutdown(88)
  Closing cache file
[2005/04/27 06:12:09, 5] libsmb/namecache.c:namecache_shutdown(79)
  namecache_shutdown: netbios namecache closed successfully.
[2005/04/27 06:12:09, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2005/04/27 06:12:09, 5] auth/auth_util.c:debug_nt_user_token(485)
  NT user token: (NULL)
[2005/04/27 06:12:09, 5] auth/auth_util.c:debug_unix_user_token(506)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2005/04/27 06:12:09, 5] smbd/uid.c:change_to_root_user(296)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2005/04/27 06:12:09, 2] smbd/server.c:exit_server(609)
  Closing connections
[2005/04/27 06:12:09, 3] smbd/connection.c:yield_connection(69)
  Yielding connection to
[2005/04/27 06:12:09, 5] smbd/oplock.c:receive_local_message(107)
  receive_local_message: doing select with timeout of 1 ms
[2005/04/27 06:12:09, 3] smbd/server.c:exit_server(652)
  Server exit (normal exit)


Snippet of the smb.conf file:

[global]
dns proxy = no
debug timestamp = yes
encrypt passwords = yes
idmap gid = 15000-20000
socket options = TCP_NODELAY
max log size = 1024
password server = PASSWORDSERVER
idmap uid = 15000-20000
security = domain
server string = Samba Server
workgroup = DOMAINNAME
log level = 10
log file = /usr/local/samba/var/log.%m
netbios name = appserver7
load printers = yes
os level = 33
default = share
winbind use default domain = no

Thanks for your time and attention,

Ash



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED

Paul Gienger

>[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info_map(224)
>  make_user_info_map: Mapping user [DOMAINNAME]\[akamdar] from workstation [ASHUTOSH]
>  
>

>Snippet of the smb.conf file:
>
>[global]
>workgroup = DOMAINNAME
>  
>
Is DOMAINNAME really the name of your NT domain?

Have you joined this machine to the domain at all?  The log that I left
above seems to state that you haven't.

--
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: [hidden email]



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED

Ashutosh Kamdar
Hi,

DOMAINNAME is not the real name of the domain I am joining. I have sanitized the logs for obvious reasons. DOMAINNAME = the real name of the DOMAIN being joined by the server.

How do I check if the samba server has joined the domain or not? The net roc join command suggested by the documentation was executed with the smbd,nmbd stopped and it worked just fine. No errors reported. Out of curiousity, what part of the log suggested that the server hasn't joined the domain?


Regards,

Ash

------Original Message-----
-From: Paul Gienger [mailto:[hidden email]]
-Sent: Wednesday, April 27, 2005 05:40 PM
-To: 'Ashutosh Kamdar'
-Cc: [hidden email]
-Subject: Re: [Samba] winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED
-
-
->[2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info_map(224)
->  make_user_info_map: Mapping user [DOMAINNAME]\[akamdar] from workstation [ASHUTOSH]
->
->
-
->Snippet of the smb.conf file:
->
->[global]
->workgroup = DOMAINNAME
->
->
-Is DOMAINNAME really the name of your NT domain?
-
-Have you joined this machine to the domain at all?  The log that I left
-above seems to state that you haven't.
-
---
-Paul Gienger                    Office: 701-281-1884
-Applied Engineering Inc.
-Systems Architect               Fax:    701-281-1322
-URL: www.ae-solutions.com       mailto: [hidden email]
-
-
-
-


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED

Paul Gienger

>DOMAINNAME is not the real name of the domain I am joining. I have sanitized the logs for obvious reasons.
>
Maybe I'm crazily niave, but I'll never understand why things need to be
santized that much...  password hashes, sure; real world IP addresses,
you bet; things that don't matter in the world outside of your network,
who cares?  Anyway, back to the issue at hand, since we've gotten this
out of the way.

>How do I check if the samba server has joined the domain or not? The net roc join command suggested by the documentation was executed with the smbd,nmbd stopped and it worked just fine. No errors reported. Out of curiousity, what part of the log suggested that the server hasn't joined the domain?
>  
>
Oh, I see I left the wrong line of the log... it was this one:

[2005/04/27 06:12:09, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
  no entry for trusted domain DOMAINNAME found.


Not being a winbind-runner here, I can't offer much beyond pointing at
the documentation to be sure you've followed all of the steps there to
be sure your setup is sane.

--
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: [hidden email]



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED

Tom Skeren
Paul Gienger wrote:

>
>> DOMAINNAME is not the real name of the domain I am joining. I have
>> sanitized the logs for obvious reasons.
>>
> Maybe I'm crazily niave, but I'll never understand why things need to
> be santized that much...  password hashes, sure; real world IP
> addresses, you bet; things that don't matter in the world outside of
> your network, who cares?  Anyway, back to the issue at hand, since
> we've gotten this out of the way.
>
>> How do I check if the samba server has joined the domain or not?
>
net rpc or net ads testjoin

>> The net roc join command suggested by the documentation was executed
>> with the smbd,nmbd stopped and it worked just fine. No errors
>> reported. Out of curiousity, what part of the log suggested that the
>> server hasn't joined the domain?
>>  
>>
> Oh, I see I left the wrong line of the log... it was this one:
>
> [2005/04/27 06:12:09, 5]
> libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
>  no entry for trusted domain DOMAINNAME found.
>
>
> Not being a winbind-runner here, I can't offer much beyond pointing at
> the documentation to be sure you've followed all of the steps there to
> be sure your setup is sane.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED

John H Terpstra - Samba Team
In reply to this post by Ashutosh Kamdar
On Wednesday 27 April 2005 11:32, Ashutosh Kamdar wrote:

> Hello,
>
> Specifications of the environment:
> Samba 3.0.13 running on Solaris 8. This is configured as a domain member of
> a NT4 style PDC. The smb.conf file is provided for details.
>
> Problem definition:
> When trying to access the Samba server from a windows machine through
> network neighborhood, the system challenges the user for their credentials.
> On providing the username/password the system rejects the combination. The
> Samba logs suggest that winbind authentication for the user has failed with
> the error message NT_STATUS_ACCESS_DENIED. A more detailed log follows. The
> user has an entry in /etc/passwd and the NT PDC.

Have you read out documentation? Did you check chapter 7 of the book "Samba-3
by Example"? You can download this from:

http://www.samba.org/samba/docs/Samba-Guide.pdf

The steps described should work on Solaris just as on Linux (the documented
case).

Did you join the Samba server to the domain? The process for doing that is:

        net rpc join -S PDC_name -UAdministrator%password

>
> Can someone help me understand what causes the windbind authentication to
> fail and report NT_STATUS_ACCESS_DENIED?
>
> Snippet of the error message in the log (log level = 10):
> [2005/04/27 06:12:09, 6] param/loadparm.c:lp_file_list_changed(2707)
>   lp_file_list_changed()
>   file /usr/local/samba/lib/smb.conf -> /usr/local/samba/lib/smb.conf  last
> mod_time: Wed Apr 27 06:06:29 2005
>
> [2005/04/27 06:12:09, 5] auth/auth_util.c:make_user_info_map(224)
>   make_user_info_map: Mapping user [DOMAINNAME]\[akamdar] from workstation
> [ASHUTOSH] [2005/04/27 06:12:09, 5]
> libsmb/trustdom_cache.c:trustdom_cache_fetch(184) no entry for trusted
> domain DOMAINNAME found.

The above line would suggest that you did not join the Samba server to the
domain.


- John T.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED

Ashutosh Kamdar
In reply to this post by Paul Gienger
Thank you for pointing this out, Paul. I was assuming this to be some sort of cache for previously accesses to machines in the domain. But, I was wrong.

The Samba HOW-TO documentation does not say anything specific about configuring winbind while becoming a part of the NT domain. Are there any tools that the group is aware of to test whether the samba server is indeed a domain member?

Any help is appreciated.

Thanks,

Ash

------Original Message-----
-From: Paul Gienger [mailto:[hidden email]]
-Sent: Wednesday, April 27, 2005 06:26 PM
-To: 'Ashutosh Kamdar'
-Cc: [hidden email]
-Subject: Re: [Samba] winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED
-
-
->DOMAINNAME is not the real name of the domain I am joining. I have sanitized the logs for obvious reasons.
->
-Maybe I'm crazily niave, but I'll never understand why things need to be
-santized that much...  password hashes, sure; real world IP addresses,
-you bet; things that don't matter in the world outside of your network,
-who cares?  Anyway, back to the issue at hand, since we've gotten this
-out of the way.
-
->How do I check if the samba server has joined the domain or not? The net roc join command suggested by the documentation was executed with the smbd,nmbd stopped and it worked just fine. No errors reported. Out of curiousity, what part of the log suggested that the server hasn't joined the domain?
->
->
-Oh, I see I left the wrong line of the log... it was this one:
-
-[2005/04/27 06:12:09, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
-  no entry for trusted domain DOMAINNAME found.
-
-
-Not being a winbind-runner here, I can't offer much beyond pointing at
-the documentation to be sure you've followed all of the steps there to
-be sure your setup is sane.
-
---
-Paul Gienger                    Office: 701-281-1884
-Applied Engineering Inc.
-Systems Architect               Fax:    701-281-1322
-URL: www.ae-solutions.com       mailto: [hidden email]
-
-
-
-


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
Reply | Threaded
Open this post in threaded view
|

Re: winbind and NTLM authentication problems - NT_STATUS_ACCESS_DENIED

John H Terpstra - Samba Team
On Wednesday 27 April 2005 12:58, Ashutosh Kamdar wrote:
> Thank you for pointing this out, Paul. I was assuming this to be some sort
> of cache for previously accesses to machines in the domain. But, I was
> wrong.
>
> The Samba HOW-TO documentation does not say anything specific about
> configuring winbind while becoming a part of the NT domain. Are there any
> tools that the group is aware of to test whether the samba server is indeed
> a domain member?

OK - I'll bite. When you have figured out how to solve the problem please,
please give me documentation updates so we can fix this glaring deficiency.
In the mean time, I would appreciate a pointer the the section numbers of the
documentation that you did read and that did not provide the necessary
answer.

I am in the process of updating the Samba-HOWTO-Collection and would like to
close the gap as soon as possible.

Thanks for pointing out a problem area.

Meanwhile, May I suggest chapter 7 of the book "Samba-3 by Example", also
known as the Samba-Guide. You can download it from:

        http://www.samba.org/samba/docs/Samba-Guide.pdf

It may help a lot. (Then again, it may not).

- John T.

>
> Any help is appreciated.
>
> Thanks,
>
> Ash
>
> ------Original Message-----
> -From: Paul Gienger [mailto:[hidden email]]
> -Sent: Wednesday, April 27, 2005 06:26 PM
> -To: 'Ashutosh Kamdar'
> -Cc: [hidden email]
> -Subject: Re: [Samba] winbind and NTLM authentication problems
> - NT_STATUS_ACCESS_DENIED -
> -
> ->DOMAINNAME is not the real name of the domain I am joining. I have
> sanitized the logs for obvious reasons. ->
> -Maybe I'm crazily niave, but I'll never understand why things need to be
> -santized that much...  password hashes, sure; real world IP addresses,
> -you bet; things that don't matter in the world outside of your network,
> -who cares?  Anyway, back to the issue at hand, since we've gotten this
> -out of the way.
> -
> ->How do I check if the samba server has joined the domain or not? The net
> roc join command suggested by the documentation was executed with the
> smbd,nmbd stopped and it worked just fine. No errors reported. Out of
> curiousity, what part of the log suggested that the server hasn't joined
> the domain? ->
> ->
> -Oh, I see I left the wrong line of the log... it was this one:
> -
> -[2005/04/27 06:12:09, 5] libsmb/trustdom_cache.c:trustdom_cache_fetch(184)
> -  no entry for trusted domain DOMAINNAME found.
> -
> -
> -Not being a winbind-runner here, I can't offer much beyond pointing at
> -the documentation to be sure you've followed all of the steps there to
> -be sure your setup is sane.
> -
> ---
> -Paul Gienger                    Office: 701-281-1884
> -Applied Engineering Inc.
> -Systems Architect               Fax:    701-281-1322
> -URL: www.ae-solutions.com       mailto: [hidden email]
> -
> -
> -
> -

--
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba