Bug 2674 - authentication of computer accounts
Summary: authentication of computer accounts
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.10
Hardware: All All
: P3 normal
Target Milestone: none
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-02 02:25 UTC by Simon Hartl
Modified: 2005-09-29 09:07 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Hartl 2005-05-02 02:25:50 UTC
Used samba version: debian-3.0.10-1

Computer is Windows 2003 Active Directory member.
ntlm_auth for normal user authentication works fine.

Problem: when authenticating an computer account, the error code
NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (0xc0000199) is given. I tried to
authenticate with the computer account of the samba machine ("debian1$") and the
password from the secrets.tbd file (via tdbdump secrets.tbd).

If authentication with computer account is done with kerberos (with kinit) the
authentication is done fine and a TGT is supplied).

Background Information: When using MS 802.1x client in PEAP-MSCHAPv2 mode the
network logon has to be done with the computer account in order to execute the
network logon scripts; this fails because of the described problem)
Comment 1 Simon Hartl 2005-05-12 00:07:24 UTC
I've used the MS IAS to authenticate the computer accounts (that works!) and
detected the following differences between the authentication of winbind and IAS
(using ethereal):

- winbind uses the RPC OP_ID 0x02 (NET_SAMLOGON) to do the logon transaction
- IAS uses RPC OP_ID 0x27 (LSA_QUERYTRUSTDOMINFO?) to do the same

Is there any way to do this like IAS? This feature would be nice for doing
802.1x authentication with peap-mschapv2.
Comment 2 Simon Hartl 2005-05-13 02:41:58 UTC
The comment made yesterday was wrong (due missunderstanding ethereal output, sorry)!

I've looked a bit deeper into the network traffic and found the following
difference:

Both (samba and IAS) are using the RPC_NETLOGON function.
In Samba the Level and LEVEL:LogonLevel are set to the value 2
In IAS the Level and LEVEL:LogonLevel are set to 6

As I'm a newbie in reverse-engineering network protocols I've no deeper
understanding about the structures sent within the level 6 logon call. If I can
help somewhere pls contact me.
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-09-29 09:07:02 UTC
please retest against 3.0.20a (the current SAMBA_3_0_RELEASE branch) which will
publically be availebl next week.