With a real NT4 DC we have a netr_LogonSamLogon(NetlogonNetworkInformation) exchange, where the account_name from the server is NULL (and acct_flags is 0) (see below). But the important part is the account_name, in netsamlogoncache_entry we filled it with the account name given by the client, which is done by netsamlogon_cache_store(). Before Samba 4.8 netsamlogon_cache_store() operated on the info3 structure which was also propagated to the caller and 'smbd' in the end. In Samba 4.8 we changed the code so that netsamlogon_cache_store() only operates on a temporary info3 structure, while passing the unmodified version to the caller and smbd. So auth_winbind in smbd gets an empty account name and is not able to call getpwnam() for the user and returns NT_STATUS_LOGON_FAILURE. In order to work at all against an NT4 DC I used this: workgroup = NT4DOM193 security = domain require strong key = no client use spnego = no client ipc signing = auto client min protocol = NT1 Here are the detailed logs from log.wb-NT4DOM193: netr_LogonSamLogon: struct netr_LogonSamLogon in: struct netr_LogonSamLogon server_name : * server_name : '\\NT4PDC-193' computer_name : * computer_name : 'UB1404-162' credential : * credential: struct netr_Authenticator cred: struct netr_Credential data : 7cf236782442563a timestamp : Fr Jul 30 16:24:51 2021 CEST return_authenticator : * return_authenticator: struct netr_Authenticator cred: struct netr_Credential data : 0000000000000000 timestamp : (time_t)0 logon_level : NetlogonNetworkInformation (2) logon : * logon : union netr_LogonLevel(case 2) network : * network: struct netr_NetworkInfo identity_info: struct netr_IdentityInfo domain_name: struct lsa_String length : 0x0012 (18) size : 0x0012 (18) string : * string : 'NT4DOM193' parameter_control : 0x00000820 (2080) 0: MSV1_0_CLEARTEXT_PASSWORD_ALLOWED 0: MSV1_0_UPDATE_LOGON_STATISTICS 0: MSV1_0_RETURN_USER_PARAMETERS 0: MSV1_0_DONT_TRY_GUEST_ACCOUNT 1: MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT 0: MSV1_0_RETURN_PASSWORD_EXPIRY 0: MSV1_0_USE_CLIENT_CHALLENGE 0: MSV1_0_TRY_GUEST_ACCOUNT_ONLY 0: MSV1_0_RETURN_PROFILE_PATH 0: MSV1_0_TRY_SPECIFIED_DOMAIN_ONLY 1: MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT 0: MSV1_0_DISABLE_PERSONAL_FALLBACK 0: MSV1_0_ALLOW_FORCE_GUEST 0: MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED 0: MSV1_0_USE_DOMAIN_FOR_ROUTING_ONLY 0: MSV1_0_ALLOW_MSVCHAPV2 0: MSV1_0_S4U2SELF 0: MSV1_0_CHECK_LOGONHOURS_FOR_S4U 0: MSV1_0_SUBAUTHENTICATION_DLL_EX logon_id : 0xa622d656ed710ec6 (11971366428343340742) account_name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'administrator' workstation: struct lsa_String length : 0x0018 (24) size : 0x0018 (24) string : * string : '\\UB1404-162' challenge : 690797588756cd0c nt: struct netr_ChallengeResponse length : 0x00f8 (248) size : 0x00f8 (248) data : * data: ARRAY(248) [0000] 52 81 65 5F 1C 9F DF 67 4B 66 70 B9 1D AE 70 67 R.e_...g Kfp...pg [0010] 01 01 00 00 00 00 00 00 FA 12 99 A7 4E 85 D7 01 ........ ....N... [0020] C2 14 CE EC 92 87 BD C1 00 00 00 00 02 00 12 00 ........ ........ [0030] 4E 00 54 00 34 00 44 00 4F 00 4D 00 31 00 39 00 N.T.4.D. O.M.1.9. [0040] 33 00 01 00 14 00 55 00 42 00 31 00 34 00 30 00 3.....U. B.1.4.0. [0050] 34 00 2D 00 31 00 36 00 32 00 04 00 02 00 00 00 4.-.1.6. 2....... [0060] 03 00 14 00 75 00 62 00 31 00 34 00 30 00 34 00 ....u.b. 1.4.0.4. [0070] 2D 00 31 00 36 00 32 00 07 00 08 00 FA 12 99 A7 -.1.6.2. ........ [0080] 4E 85 D7 01 06 00 04 00 02 00 00 00 08 00 30 00 N....... ......0. [0090] 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0....... ........ [00A0] 22 98 CD 8A 29 AD D2 4D 97 0E 5D 16 50 65 64 27 "...)..M ..].Ped' [00B0] EA 88 48 80 82 8F 06 BD EC C6 81 C8 9F E1 72 26 ..H..... ......r& [00C0] 0A 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ [00D0] 00 00 00 00 09 00 1C 00 63 00 69 00 66 00 73 00 ........ c.i.f.s. [00E0] 2F 00 31 00 32 00 37 00 2E 00 30 00 2E 00 30 00 /.1.2.7. ..0...0. [00F0] 2E 00 31 00 00 00 00 00 ..1..... lm: struct netr_ChallengeResponse length : 0x0018 (24) size : 0x0018 (24) data : * data : 000000000000000000000000000000000000000000000000 validation_level : 0x0003 (3) netr_LogonSamLogon: struct netr_LogonSamLogon out: struct netr_LogonSamLogon return_authenticator : * return_authenticator: struct netr_Authenticator cred: struct netr_Credential data : 1de97d9c2e9f6e4e timestamp : (time_t)0 validation : * validation : union netr_Validation(case 3) sam3 : * sam3: struct netr_SamInfo3 base: struct netr_SamBaseInfo logon_time : Fr Jul 30 15:26:11 2021 CEST logoff_time : Do Sep 14 03:48:05 30828 CET kickoff_time : Do Sep 14 03:48:05 30828 CET last_password_change : Sa Nov 6 17:03:21 2010 CET allow_password_change : Sa Nov 6 17:03:21 2010 CET force_password_change : Do Sep 14 03:48:05 30828 CET account_name: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL full_name: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL logon_script: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL profile_path: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL home_directory: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL home_drive: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL logon_count : 0x0017 (23) bad_password_count : 0x0000 (0) rid : 0x000001f4 (500) primary_gid : 0x00000201 (513) groups: struct samr_RidWithAttributeArray count : 0x00000002 (2) rids : * rids: ARRAY(2) rids: struct samr_RidWithAttribute rid : 0x00000201 (513) attributes : 0x00000007 (7) 1: SE_GROUP_MANDATORY 1: SE_GROUP_ENABLED_BY_DEFAULT 1: SE_GROUP_ENABLED 0: SE_GROUP_OWNER 0: SE_GROUP_USE_FOR_DENY_ONLY 0: SE_GROUP_INTEGRITY 0: SE_GROUP_INTEGRITY_ENABLED 0: SE_GROUP_RESOURCE 0x00: SE_GROUP_LOGON_ID (0) rids: struct samr_RidWithAttribute rid : 0x00000200 (512) attributes : 0x00000007 (7) 1: SE_GROUP_MANDATORY 1: SE_GROUP_ENABLED_BY_DEFAULT 1: SE_GROUP_ENABLED 0: SE_GROUP_OWNER 0: SE_GROUP_USE_FOR_DENY_ONLY 0: SE_GROUP_INTEGRITY 0: SE_GROUP_INTEGRITY_ENABLED 0: SE_GROUP_RESOURCE 0x00: SE_GROUP_LOGON_ID (0) user_flags : 0x00000120 (288) 0: NETLOGON_GUEST 0: NETLOGON_NOENCRYPTION 0: NETLOGON_CACHED_ACCOUNT 0: NETLOGON_USED_LM_PASSWORD 1: NETLOGON_EXTRA_SIDS 0: NETLOGON_SUBAUTH_SESSION_KEY 0: NETLOGON_SERVER_TRUST_ACCOUNT 1: NETLOGON_NTLMV2_ENABLED 0: NETLOGON_RESOURCE_GROUPS 0: NETLOGON_PROFILE_PATH_RETURNED 0: NETLOGON_GRACE_LOGON key: struct netr_UserSessionKey key: ARRAY(16): <REDACTED SECRET VALUES> logon_server: struct lsa_StringLarge length : 0x0014 (20) size : 0x0016 (22) string : * string : 'NT4PDC-193' logon_domain: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'NT4DOM193' domain_sid : * domain_sid : S-1-5-21-357788813-580721598-483988704 LMSessKey: struct netr_LMSessionKey key: ARRAY(8): <REDACTED SECRET VALUES> acct_flags : 0x00000000 (0) 0: ACB_DISABLED 0: ACB_HOMDIRREQ 0: ACB_PWNOTREQ 0: ACB_TEMPDUP 0: ACB_NORMAL 0: ACB_MNS 0: ACB_DOMTRUST 0: ACB_WSTRUST 0: ACB_SVRTRUST 0: ACB_PWNOEXP 0: ACB_AUTOLOCK 0: ACB_ENC_TXT_PWD_ALLOWED 0: ACB_SMARTCARD_REQUIRED 0: ACB_TRUSTED_FOR_DELEGATION 0: ACB_NOT_DELEGATED 0: ACB_USE_DES_KEY_ONLY 0: ACB_DONT_REQUIRE_PREAUTH 0: ACB_PW_EXPIRED 0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0: ACB_NO_AUTH_DATA_REQD 0: ACB_PARTIAL_SECRETS_ACCOUNT 0: ACB_USE_AES_KEYS sub_auth_status : 0x00000000 (0) last_successful_logon : NTTIME(0) last_failed_logon : NTTIME(0) failed_logon_count : 0x00000000 (0) reserved : 0x00000000 (0) sidcount : 0x00000000 (0) sids : NULL authoritative : * authoritative : 0x01 (1) result : NT_STATUS_OK &r: struct netsamlogoncache_entry timestamp : Fr Jul 30 16:18:35 2021 CEST info3: struct netr_SamInfo3 base: struct netr_SamBaseInfo logon_time : Fr Jul 30 15:26:11 2021 CEST logoff_time : Do Sep 14 03:48:05 30828 CET kickoff_time : Do Sep 14 03:48:05 30828 CET last_password_change : Sa Nov 6 17:03:21 2010 CET allow_password_change : Sa Nov 6 17:03:21 2010 CET force_password_change : Do Sep 14 03:48:05 30828 CET account_name: struct lsa_String length : 0x001a (26) size : 0x001a (26) string : * string : 'administrator' full_name: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL logon_script: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL profile_path: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL home_directory: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL home_drive: struct lsa_String length : 0x0000 (0) size : 0x0000 (0) string : NULL logon_count : 0x0017 (23) bad_password_count : 0x0000 (0) rid : 0x000001f4 (500) primary_gid : 0x00000201 (513) groups: struct samr_RidWithAttributeArray count : 0x00000002 (2) rids : * rids: ARRAY(2) rids: struct samr_RidWithAttribute rid : 0x00000201 (513) attributes : 0x00000007 (7) 1: SE_GROUP_MANDATORY 1: SE_GROUP_ENABLED_BY_DEFAULT 1: SE_GROUP_ENABLED 0: SE_GROUP_OWNER 0: SE_GROUP_USE_FOR_DENY_ONLY 0: SE_GROUP_INTEGRITY 0: SE_GROUP_INTEGRITY_ENABLED 0: SE_GROUP_RESOURCE 0x00: SE_GROUP_LOGON_ID (0) rids: struct samr_RidWithAttribute rid : 0x00000200 (512) attributes : 0x00000007 (7) 1: SE_GROUP_MANDATORY 1: SE_GROUP_ENABLED_BY_DEFAULT 1: SE_GROUP_ENABLED 0: SE_GROUP_OWNER 0: SE_GROUP_USE_FOR_DENY_ONLY 0: SE_GROUP_INTEGRITY 0: SE_GROUP_INTEGRITY_ENABLED 0: SE_GROUP_RESOURCE 0x00: SE_GROUP_LOGON_ID (0) user_flags : 0x00000120 (288) 0: NETLOGON_GUEST 0: NETLOGON_NOENCRYPTION 0: NETLOGON_CACHED_ACCOUNT 0: NETLOGON_USED_LM_PASSWORD 1: NETLOGON_EXTRA_SIDS 0: NETLOGON_SUBAUTH_SESSION_KEY 0: NETLOGON_SERVER_TRUST_ACCOUNT 1: NETLOGON_NTLMV2_ENABLED 0: NETLOGON_RESOURCE_GROUPS 0: NETLOGON_PROFILE_PATH_RETURNED 0: NETLOGON_GRACE_LOGON key: struct netr_UserSessionKey key: ARRAY(16): <REDACTED SECRET VALUES> logon_server: struct lsa_StringLarge length : 0x0014 (20) size : 0x0016 (22) string : * string : 'NT4PDC-193' logon_domain: struct lsa_StringLarge length : 0x0012 (18) size : 0x0014 (20) string : * string : 'NT4DOM193' domain_sid : * domain_sid : S-1-5-21-357788813-580721598-483988704 LMSessKey: struct netr_LMSessionKey key: ARRAY(8): <REDACTED SECRET VALUES> acct_flags : 0x00000000 (0) 0: ACB_DISABLED 0: ACB_HOMDIRREQ 0: ACB_PWNOTREQ 0: ACB_TEMPDUP 0: ACB_NORMAL 0: ACB_MNS 0: ACB_DOMTRUST 0: ACB_WSTRUST 0: ACB_SVRTRUST 0: ACB_PWNOEXP 0: ACB_AUTOLOCK 0: ACB_ENC_TXT_PWD_ALLOWED 0: ACB_SMARTCARD_REQUIRED 0: ACB_TRUSTED_FOR_DELEGATION 0: ACB_NOT_DELEGATED 0: ACB_USE_DES_KEY_ONLY 0: ACB_DONT_REQUIRE_PREAUTH 0: ACB_PW_EXPIRED 0: ACB_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0: ACB_NO_AUTH_DATA_REQD 0: ACB_PARTIAL_SECRETS_ACCOUNT 0: ACB_USE_AES_KEYS sub_auth_status : 0x00000000 (0) last_successful_logon : NTTIME(0) last_failed_logon : NTTIME(0) failed_logon_count : 0x00000000 (0) reserved : 0x00000000 (0) sidcount : 0x00000000 (0) sids : NULL
Created attachment 16707 [details] Backport to 4.9
This bug was referenced in samba master: 93bac5f12240597e1e92291de70a7000a403baca