Prevents NTLM machine authentication. Regression introduced by: http://git.samba.org/?p=samba.git;a=commit;h=abb7c07de5d07d5378dafbfdf0d0213a2b0e0b05. source3/winbindd_pam.c:winbind_samlogon_retry_loop() does not pass logon_parameters as the third argument to SAM network logon routines. This causes WINBINDD_PAM_AUTH_CRAP to return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT or NT_STATUS_NOLOGON_SERVER_TRUST_ACCOUNT despite MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT or MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT being specified in winbindd_request.data.auth_crap.logon_parameters when authenticating machine accounts.
Ok, I'll look into this asap. Do you know if this has been fixed in 3.6.x ? Jeremy.
(In reply to comment #1) > Ok, I'll look into this asap. > > Do you know if this has been fixed in 3.6.x ? > > Jeremy. I downloaded 3.6.1; the regression remains there as well.
Thanks for checking. I'll see what fix we need.
Ah, ok - this code only exists in 3.6.x - I'll re-catagorize as 3.6.x. Jeremy.
Created attachment 7041 [details] Raw patch for 3.6.x. Can you test this fix and confirm it fixes your issue ? Once you do I'll submit to master and get a back-ported git-am patch ready for 3.6.2. Thanks ! Jeremy.
Rebuilding to test now. Sorry about the versioning; I traced the original commit and assumed it first appeared in 3.5.8 based on dates and release notes. I was trying to be as helpful as possible. :)
Fixed verified. Machine authentication successful. Workstation trust flags now present in SAM logon request: process_request: Handling async request 3365:PAM_AUTH_CRAP [ 3365]: pam auth crap domain: [nin.asglab.juniper.net] user: MA$ child daemon request 14 child_process_request: request fn AUTH_CRAP [ 3265]: pam auth crap domain: nin.asglab.juniper.net user: MA$ netr_LogonSamLogonEx: struct netr_LogonSamLogonEx in: struct netr_LogonSamLogonEx server_name : * server_name : '\\root.nin.asglab.juniper.net' computer_name : * computer_name : '0271MM50F5B0IZ' logon_level : NetlogonNetworkInformation (2) logon : * logon : union netr_LogonLevel(case 2) network : * network: struct netr_NetworkInfo identity_info: struct netr_IdentityInfo domain_name: struct lsa_String length : 0x002c (44) size : 0x002c (44) string : * string : 'nin.asglab.juniper.net' parameter_control : 0x00000820 (2080) 0: MSV1_0_CLEARTEXT_PASSWORD_ALLOWED 0: MSV1_0_UPDATE_LOGON_STATISTICS 0: MSV1_0_RETURN_USER_PARAMETERS 0: MSV1_0_DONT_TRY_GUEST_ACCOUNT 1: MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT 0: MSV1_0_RETURN_PASSWORD_EXPIRY 0: MSV1_0_USE_CLIENT_CHALLENGE 0: MSV1_0_TRY_GUEST_ACCOUNT_ONLY 0: MSV1_0_RETURN_PROFILE_PATH 0: MSV1_0_TRY_SPECIFIED_DOMAIN_ONLY 1: MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT 0: MSV1_0_DISABLE_PERSONAL_FALLBACK 0: MSV1_0_ALLOW_FORCE_GUEST 0: MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED 0: MSV1_0_USE_DOMAIN_FOR_ROUTING_ONLY 0: MSV1_0_ALLOW_MSVCHAPV2 0: MSV1_0_S4U2SELF 0: MSV1_0_CHECK_LOGONHOURS_FOR_S4U 0: MSV1_0_SUBAUTHENTICATION_DLL_EX
Karolin - please cherry-pick git ref f30f71c14a0b89dea296910ac9b92d3ae4016613 Fix bug #8548 - winbind_samlogon_retry_loop ignores logon_parameters flags. Fix confirmed by reporter. from master to v3-6-test. This is the same as the raw patch in attachment 7041 [details] that has been confirmed by the reporter and +reviewed by Guenther. Thanks, Jeremy.
Pushed to v3-6-test. Will be included in Samba 3.6.2. Closing out bug report. Thanks!