Bug 14981 - netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0
Summary: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.15.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-16 14:23 UTC by Stefan Metzmacher
Modified: 2022-02-21 15:05 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2022-02-16 14:23:44 UTC
When we get the following:

       netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
          out: struct netr_LogonSamLogonEx
              validation               : *
                  validation               : union netr_Validation(case 6)
                  sam6                     : NULL
              authoritative            : *
                  authoritative            : 0x00 (0)
              flags                    : *
                  flags                    : 0x00000000 (0)
                         0: NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT
                         0: NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP
                         0: NETLOGON_SAMLOGON_FLAG_RODC_TO_OTHER_DOMAIN
                         0: NETLOGON_SAMLOGON_FLAG_RODC_NTLM_REQUEST
              result                   : NT_STATUS_ACCESS_DENIED

It means we need to try another server!

A typical case is broken sysvol replication where the dc still
has SysvolReady=0 in HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters

If that happens we need to blacklist that server and retry with another
one or return NO_LOGON_SERVERS with authoritative=1 in the end.
Comment 1 Stefan Metzmacher 2022-02-21 15:05:50 UTC
Such a DC is in "PAUSE" mode. See MS-ADTS 6.3.3.2 Domain Controller Response to an LDAP Ping:

...
Let t be set as follows:
- When the Netlogon service is in a paused state, if v does not have the
NETLOGON_NT_VERSION_PDC bit set or the server is not a PDC, let t be 1.
- If the value of rootDSE attribute isSynchronized (see section 3.1.1.3) is false, let t be 1.
- When the Netlogon RPC server is not initialized, if v does not have the
NETLOGON_NT_VERSION_LOCAL bit set, let t be 1.
- If the FRS service is in a paused state, let t be 1.
- Otherwise, let t be 0.
...

OperationCode: Set to LOGON_SAM_PAUSE_RESPONSE_EX if t is equal to 1. Set to
LOGON_SAM_USER_UNKNOWN_EX if u is not NULL, but x is NULL. Set to
LOGON_SAM_LOGON_RESPONSE_EX in other cases.

Currently we're completely ignoring the OperationCode...
and also try to use paused DCs.