Used samba version: debian-3.0.10-1 Computer is Windows 2003 Active Directory member. ntlm_auth for normal user authentication works fine. Problem: when authenticating an computer account, the error code NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (0xc0000199) is given. I tried to authenticate with the computer account of the samba machine ("debian1$") and the password from the secrets.tbd file (via tdbdump secrets.tbd). If authentication with computer account is done with kerberos (with kinit) the authentication is done fine and a TGT is supplied). Background Information: When using MS 802.1x client in PEAP-MSCHAPv2 mode the network logon has to be done with the computer account in order to execute the network logon scripts; this fails because of the described problem)
I've used the MS IAS to authenticate the computer accounts (that works!) and detected the following differences between the authentication of winbind and IAS (using ethereal): - winbind uses the RPC OP_ID 0x02 (NET_SAMLOGON) to do the logon transaction - IAS uses RPC OP_ID 0x27 (LSA_QUERYTRUSTDOMINFO?) to do the same Is there any way to do this like IAS? This feature would be nice for doing 802.1x authentication with peap-mschapv2.
The comment made yesterday was wrong (due missunderstanding ethereal output, sorry)! I've looked a bit deeper into the network traffic and found the following difference: Both (samba and IAS) are using the RPC_NETLOGON function. In Samba the Level and LEVEL:LogonLevel are set to the value 2 In IAS the Level and LEVEL:LogonLevel are set to 6 As I'm a newbie in reverse-engineering network protocols I've no deeper understanding about the structures sent within the level 6 logon call. If I can help somewhere pls contact me.
please retest against 3.0.20a (the current SAMBA_3_0_RELEASE branch) which will publically be availebl next week.