Hello, I used Samba 3.4.8 for Wi-Fi authentification with Freeradius+EAP/MSCHAPv2+ntlm_auth. I upgraded to 3.6.3 and I have a bug/regression : when a workstation (XP or Seven) try to authenticate, I have this error: [2012/02/05 11:16:24.418248, 2] auth/check_samsec.c:283(sam_account_ok) sam_account_ok: Wksta trust account hostname$ denied by server [2012/02/05 11:16:24.418323, 2] winbindd/winbindd_pam.c:1883(winbindd_dual_pam_auth_crap) NTLM CRAP authentication for user [DOMAINE]\[HOSTNAME$] returned NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (PAM: 9) Then all workstations fail to authenticate and have Wi-Fi :-( For your information, I look in source code, and I find this condition in auth/check_samsec.c file: if (acct_ctrl & ACB_WSTRUST) { if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) { DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass))); return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT; } } I don't think workstations stop to send MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flag, then the bug is probably with handling logon_parameters. Bug 8548[*] is interessant but the fix is already in 3.6.3 ! Another information, I try a crapy hack: disable this condition in source code and rebuild samba package: it works well! [*] https://bugzilla.samba.org/show_bug.cgi?id=8548
This is a important bug because force any site with 802.1x (freeradius+ntlm_auth+winbind+samba) to patch the samba code or let the computers to be authorized in 802.1x without authentication.
I can confirm this bug also for 3.6.6 (3.6.6-6+deb7u4, debian wheezy), and i also think that have to be rated 'important', because practically make totally unuseful the machine account auth. Other that that, i found on logs row like: [2014/12/01 08:47:17.920979, 0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client PEPPA machine account PEPPA$ i don't know if they are related, but i suppose yes. Note that machine account get correctly upgraded, so windows box keep correctly joined to the domain. I hope on some feedback, thanks.
I don't think that this is a generic issue in recent samba releases, if you see a bug with this with Samba 4.12 oder 4.13, please file a new bug report for this.
I'm pretty sure we fixed this a while back.