Bug 14981 - netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0
Summary: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with SysvolReady=0
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.15.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-02-16 14:23 UTC by Stefan Metzmacher
Modified: 2024-06-19 14:34 UTC (History)
4 users (show)

See Also:

Attachments
Patch for v4-20-test (4.67 KB, text/plain)
2024-05-29 14:28 UTC, Stefan Metzmacher 		gd: review+
Details
Patch for v4-19-test (4.67 KB, text/plain)
2024-05-29 14:28 UTC, Stefan Metzmacher 		gd: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2022-02-16 14:23:44 UTC 
When we get the following:

       netr_LogonSamLogonEx: struct netr_LogonSamLogonEx
          out: struct netr_LogonSamLogonEx
              validation               : *
                  validation               : union netr_Validation(case 6)
                  sam6                     : NULL
              authoritative            : *
                  authoritative            : 0x00 (0)
              flags                    : *
                  flags                    : 0x00000000 (0)
                         0: NETLOGON_SAMLOGON_FLAG_PASS_TO_FOREST_ROOT
                         0: NETLOGON_SAMLOGON_FLAG_PASS_CROSS_FOREST_HOP
                         0: NETLOGON_SAMLOGON_FLAG_RODC_TO_OTHER_DOMAIN
                         0: NETLOGON_SAMLOGON_FLAG_RODC_NTLM_REQUEST
              result                   : NT_STATUS_ACCESS_DENIED

It means we need to try another server!

A typical case is broken sysvol replication where the dc still
has SysvolReady=0 in HKLM\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters

If that happens we need to blacklist that server and retry with another
one or return NO_LOGON_SERVERS with authoritative=1 in the end.
Comment 1 Stefan Metzmacher 2022-02-21 15:05:50 UTC 
Such a DC is in "PAUSE" mode. See MS-ADTS 6.3.3.2 Domain Controller Response to an LDAP Ping:

...
Let t be set as follows:
- When the Netlogon service is in a paused state, if v does not have the
NETLOGON_NT_VERSION_PDC bit set or the server is not a PDC, let t be 1.
- If the value of rootDSE attribute isSynchronized (see section 3.1.1.3) is false, let t be 1.
- When the Netlogon RPC server is not initialized, if v does not have the
NETLOGON_NT_VERSION_LOCAL bit set, let t be 1.
- If the FRS service is in a paused state, let t be 1.
- Otherwise, let t be 0.
...

OperationCode: Set to LOGON_SAM_PAUSE_RESPONSE_EX if t is equal to 1. Set to
LOGON_SAM_USER_UNKNOWN_EX if u is not NULL, but x is NULL. Set to
LOGON_SAM_LOGON_RESPONSE_EX in other cases.

Currently we're completely ignoring the OperationCode...
and also try to use paused DCs.
Comment 2 Samba QA Contact 2024-04-05 13:29:04 UTC 
This bug was referenced in samba master:

ca859e55d28f421196bc2660cfa84595ec5b57c6
Comment 3 Stefan Metzmacher 2024-05-29 14:28:04 UTC 
Created attachment 18312 [details]
Patch for v4-20-test
Comment 4 Stefan Metzmacher 2024-05-29 14:28:27 UTC 
Created attachment 18313 [details]
Patch for v4-19-test
Comment 5 Guenther Deschner 2024-05-29 18:11:15 UTC 
Comment on attachment 18312 [details]
Patch for v4-20-test

LGTM, RB+
Comment 6 Guenther Deschner 2024-05-29 18:11:28 UTC 
Comment on attachment 18313 [details]
Patch for v4-19-test

LGTM, RB+
Comment 7 Guenther Deschner 2024-05-29 18:11:56 UTC 
Jule, please add to v4-20 and v4-19. Thanks!
Comment 8 Samba QA Contact 2024-05-29 19:26:30 UTC 
This bug was referenced in samba v4-19-test:

fab04efa32564a47191c775d1b51362bf0c5658a
Comment 9 Samba QA Contact 2024-05-30 10:58:14 UTC 
This bug was referenced in samba v4-20-test:

4257e3b8fef705216a630320e0743a0ab6ed43bb
Comment 10 Stefan Metzmacher 2024-05-30 11:51:57 UTC 
There's more to do to fix the bug...
Comment 11 Samba QA Contact 2024-06-10 15:31:16 UTC 
This bug was referenced in samba v4-19-stable (Release samba-4.19.7):

fab04efa32564a47191c775d1b51362bf0c5658a
Comment 12 Samba QA Contact 2024-06-19 14:34:38 UTC 
This bug was referenced in samba v4-20-stable (Release samba-4.20.2):

4257e3b8fef705216a630320e0743a0ab6ed43bb