The Samba-Bugzilla – Bug 2674
authentication of computer accounts
Last modified: 2005-09-29 09:07:02 UTC
Used samba version: debian-3.0.10-1
Computer is Windows 2003 Active Directory member.
ntlm_auth for normal user authentication works fine.
Problem: when authenticating an computer account, the error code
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (0xc0000199) is given. I tried to
authenticate with the computer account of the samba machine ("debian1$") and the
password from the secrets.tbd file (via tdbdump secrets.tbd).
If authentication with computer account is done with kerberos (with kinit) the
authentication is done fine and a TGT is supplied).
Background Information: When using MS 802.1x client in PEAP-MSCHAPv2 mode the
network logon has to be done with the computer account in order to execute the
network logon scripts; this fails because of the described problem)
I've used the MS IAS to authenticate the computer accounts (that works!) and
detected the following differences between the authentication of winbind and IAS
- winbind uses the RPC OP_ID 0x02 (NET_SAMLOGON) to do the logon transaction
- IAS uses RPC OP_ID 0x27 (LSA_QUERYTRUSTDOMINFO?) to do the same
Is there any way to do this like IAS? This feature would be nice for doing
802.1x authentication with peap-mschapv2.
The comment made yesterday was wrong (due missunderstanding ethereal output, sorry)!
I've looked a bit deeper into the network traffic and found the following
Both (samba and IAS) are using the RPC_NETLOGON function.
In Samba the Level and LEVEL:LogonLevel are set to the value 2
In IAS the Level and LEVEL:LogonLevel are set to 6
As I'm a newbie in reverse-engineering network protocols I've no deeper
understanding about the structures sent within the level 6 logon call. If I can
help somewhere pls contact me.
please retest against 3.0.20a (the current SAMBA_3_0_RELEASE branch) which will
publically be availebl next week.