When we get the following: netr_LogonSamLogonEx: struct netr_LogonSamLogonEx out: struct netr_LogonSamLogonEx validation : * validation : union netr_Validation(case 6) sam6 : NULL authoritative : * authoritative : 0x00 (0) flags : * flags : 0x00000000 (0) 0: NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT 0: NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP 0: NETLOGON_SAMLOGON_FLAG_RODC_TO_OTHER_DOMAIN 0: NETLOGON_SAMLOGON_FLAG_RODC_NTLM_REQUEST result : NT_STATUS_ACCESS_DENIED It means we need to try another server! A typical case is broken sysvol replication where the dc still has SysvolReady=0 in HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters If that happens we need to blacklist that server and retry with another one or return NO_LOGON_SERVERS with authoritative=1 in the end.
Such a DC is in "PAUSE" mode. See MS-ADTS 6.3.3.2 Domain Controller Response to an LDAP Ping: ... Let t be set as follows: - When the Netlogon service is in a paused state, if v does not have the NETLOGON_NT_VERSION_PDC bit set or the server is not a PDC, let t be 1. - If the value of rootDSE attribute isSynchronized (see section 3.1.1.3) is false, let t be 1. - When the Netlogon RPC server is not initialized, if v does not have the NETLOGON_NT_VERSION_LOCAL bit set, let t be 1. - If the FRS service is in a paused state, let t be 1. - Otherwise, let t be 0. ... OperationCode: Set to LOGON_SAM_PAUSE_RESPONSE_EX if t is equal to 1. Set to LOGON_SAM_USER_UNKNOWN_EX if u is not NULL, but x is NULL. Set to LOGON_SAM_LOGON_RESPONSE_EX in other cases. Currently we're completely ignoring the OperationCode... and also try to use paused DCs.
This bug was referenced in samba master: ca859e55d28f421196bc2660cfa84595ec5b57c6