14981 – netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0

Bug 14981 - netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0

Summary: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Winbind (show other bugs)
Version:	4.15.5
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-02-16 14:23 UTC by Stefan Metzmacher
Modified:	2025-09-09 15:39 UTC (History)
CC List:	4 users (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/3516 https://gitlab.com/samba-team/samba/-/merge_requests/4101

Attachments
Patch for v4-20-test (4.67 KB, text/plain) 2024-05-29 14:28 UTC, Stefan Metzmacher	gd: review+	Details
Patch for v4-19-test (4.67 KB, text/plain) 2024-05-29 14:28 UTC, Stefan Metzmacher	gd: review+	Details
Patch for 4.22 cherry-picked from master (19.23 KB, patch) 2025-08-01 12:26 UTC, Ralph Böhme	gd: review+	Details
Patch for 4.21 backported from master (18.51 KB, patch) 2025-08-01 12:27 UTC, Ralph Böhme	gd: review+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2022-02-16 14:23:44 UTC

When we get the following:

       netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
          out: struct netr_LogonSamLogonEx
              validation               : *
                  validation               : union netr_Validation(case 6)
                  sam6                     : NULL
              authoritative            : *
                  authoritative            : 0x00 (0)
              flags                    : *
                  flags                    : 0x00000000 (0)
                         0: NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT
                         0: NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP
                         0: NETLOGON_SAMLOGON_FLAG_RODC_TO_OTHER_DOMAIN
                         0: NETLOGON_SAMLOGON_FLAG_RODC_NTLM_REQUEST
              result                   : NT_STATUS_ACCESS_DENIED

It means we need to try another server!

A typical case is broken sysvol replication where the dc still
has SysvolReady=0 in HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters

If that happens we need to blacklist that server and retry with another
one or return NO_LOGON_SERVERS with authoritative=1 in the end.

Comment 1 Stefan Metzmacher 2022-02-21 15:05:50 UTC

Such a DC is in "PAUSE" mode. See MS-ADTS 6.3.3.2 Domain Controller Response to an LDAP Ping:

...
Let t be set as follows:
- When the Netlogon service is in a paused state, if v does not have the
NETLOGON_NT_VERSION_PDC bit set or the server is not a PDC, let t be 1.
- If the value of rootDSE attribute isSynchronized (see section 3.1.1.3) is false, let t be 1.
- When the Netlogon RPC server is not initialized, if v does not have the
NETLOGON_NT_VERSION_LOCAL bit set, let t be 1.
- If the FRS service is in a paused state, let t be 1.
- Otherwise, let t be 0.
...

OperationCode: Set to LOGON_SAM_PAUSE_RESPONSE_EX if t is equal to 1. Set to
LOGON_SAM_USER_UNKNOWN_EX if u is not NULL, but x is NULL. Set to
LOGON_SAM_LOGON_RESPONSE_EX in other cases.

Currently we're completely ignoring the OperationCode...
and also try to use paused DCs.

Comment 2 Samba QA Contact 2024-04-05 13:29:04 UTC

This bug was referenced in samba master:

ca859e55d28f421196bc2660cfa84595ec5b57c6

Comment 3 Stefan Metzmacher 2024-05-29 14:28:04 UTC

Created attachment 18312 [details]
Patch for v4-20-test

Comment 4 Stefan Metzmacher 2024-05-29 14:28:27 UTC

Created attachment 18313 [details]
Patch for v4-19-test

Comment 5 Guenther Deschner 2024-05-29 18:11:15 UTC

Comment on attachment 18312 [details]
Patch for v4-20-test

LGTM, RB+

Comment 6 Guenther Deschner 2024-05-29 18:11:28 UTC

Comment on attachment 18313 [details]
Patch for v4-19-test

LGTM, RB+

Comment 7 Guenther Deschner 2024-05-29 18:11:56 UTC

Jule, please add to v4-20 and v4-19. Thanks!

Comment 8 Samba QA Contact 2024-05-29 19:26:30 UTC

This bug was referenced in samba v4-19-test:

fab04efa32564a47191c775d1b51362bf0c5658a

Comment 9 Samba QA Contact 2024-05-30 10:58:14 UTC

This bug was referenced in samba v4-20-test:

4257e3b8fef705216a630320e0743a0ab6ed43bb

Comment 10 Stefan Metzmacher 2024-05-30 11:51:57 UTC

There's more to do to fix the bug...

Comment 11 Samba QA Contact 2024-06-10 15:31:16 UTC

This bug was referenced in samba v4-19-stable (Release samba-4.19.7):

fab04efa32564a47191c775d1b51362bf0c5658a

Comment 12 Samba QA Contact 2024-06-19 14:34:38 UTC

This bug was referenced in samba v4-20-stable (Release samba-4.20.2):

4257e3b8fef705216a630320e0743a0ab6ed43bb

Comment 13 Ralph Böhme 2025-06-26 14:42:33 UTC

To clarify: the patches present in this bugreport are far from the complete fix.

Comment 14 Samba QA Contact 2025-07-30 10:11:04 UTC

This bug was referenced in samba master:

613ac83fb7666f5b132187d5587053e0d7dcd46d
7fed75c495ead8f476c805b91cc6624ebf933427
08c8760ad9706b62755e35acaa121647344a4c9e
63051a2dcbe3a4a07f029e0c18aa90bd3f56b0a4
a397801598eef4b0381a64a37af1845e9e85a50f
d3000d7df09de724694aa0682b9750b8c7767514
5217bd1a2334825fed32f40c57f72464d126aac0
c1ee6fe9a489a8923d607e14d26768935a398849

Comment 15 Ralph Böhme 2025-08-01 12:26:46 UTC

Created attachment 18680 [details]
Patch for 4.22 cherry-picked from master

Comment 16 Ralph Böhme 2025-08-01 12:27:19 UTC

Created attachment 18681 [details]
Patch for 4.21 backported from master

Comment 17 Guenther Deschner 2025-08-01 12:53:13 UTC

Comment on attachment 18680 [details]
Patch for 4.22 cherry-picked from master

LGTM, RB+

Comment 18 Guenther Deschner 2025-08-01 12:55:12 UTC

Comment on attachment 18681 [details]
Patch for 4.21 backported from master

LGTM, RB+

Comment 19 Guenther Deschner 2025-08-01 12:56:10 UTC

Jule, please add to to v4-22 and v4-21. Thanks!

Comment 20 Jule Anger 2025-08-06 08:05:45 UTC

Pushed to autobuild-v4-{22,21}-test.

Comment 21 Samba QA Contact 2025-08-06 09:30:03 UTC

This bug was referenced in samba v4-21-test:

56b975c4ff461d79a0ca12cf61a3628315655aab
23eeafe43e90a62f586a521506ed3d3013852a4e
2994369b3bdf5b1fe35a6222a380bf0b6def4588
a9250ab504ea30dbf64bad54e5f7f4f7393de832
e56376504a82080b09ed50c320fddddc0769850d
a0bf6a94267364c59c57a8c442ee0cf7860c3b73
ad604bb46f203caca18e4bd19d02e33f11621ea3
4750b7b59057bdd97fa34203a6344a2a8b3707b6

Comment 22 Samba QA Contact 2025-08-07 13:51:03 UTC

This bug was referenced in samba v4-22-test:

f7b28aa9cb4ffceff9ac5ffd650a172476d233a2
48ce6782a974ef6f983579ecf1dadebd741f71b2
213af0ed20bdd97157c8a08e6959d76c5f9d27aa
a77d376ab5ac36ee0786d6d01b448665c9ad156c
10c00de2616b4fcb056a1c1f1300a08226a46d8c
02080bdbf6929c3e06092a49b7bf31e65b90d972
a7eaa61f728f73a4eaa458a1bd5c5129ac8eb31f
4a05b06b12a5640655e83914b92065c627762122

Comment 23 Jule Anger 2025-08-07 13:54:56 UTC

Closing out bug report.

Thanks!

Comment 24 Samba QA Contact 2025-08-21 15:24:55 UTC

This bug was referenced in samba v4-22-stable (Release samba-4.22.4):

f7b28aa9cb4ffceff9ac5ffd650a172476d233a2
48ce6782a974ef6f983579ecf1dadebd741f71b2
213af0ed20bdd97157c8a08e6959d76c5f9d27aa
a77d376ab5ac36ee0786d6d01b448665c9ad156c
10c00de2616b4fcb056a1c1f1300a08226a46d8c
02080bdbf6929c3e06092a49b7bf31e65b90d972
a7eaa61f728f73a4eaa458a1bd5c5129ac8eb31f
4a05b06b12a5640655e83914b92065c627762122

Comment 25 Samba QA Contact 2025-09-09 15:39:50 UTC

This bug was referenced in samba v4-21-stable (Release samba-4.21.8):

56b975c4ff461d79a0ca12cf61a3628315655aab
23eeafe43e90a62f586a521506ed3d3013852a4e
2994369b3bdf5b1fe35a6222a380bf0b6def4588
a9250ab504ea30dbf64bad54e5f7f4f7393de832
e56376504a82080b09ed50c320fddddc0769850d
a0bf6a94267364c59c57a8c442ee0cf7860c3b73
ad604bb46f203caca18e4bd19d02e33f11621ea3
4750b7b59057bdd97fa34203a6344a2a8b3707b6