Bug 8744 - NTLM CRAP authentication for workstation fails with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT
Summary: NTLM CRAP authentication for workstation fails with NT_STATUS_NOLOGON_WORKSTA...
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: SMB2 (show other bugs)
Version: 3.6.3
Hardware: All Linux
: P5 major
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-02-06 10:56 UTC by Gregory Colpart
Modified: 2020-12-22 21:58 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gregory Colpart 2012-02-06 10:56:30 UTC
Hello,

I used Samba 3.4.8 for Wi-Fi authentification with Freeradius+EAP/MSCHAPv2+ntlm_auth. I upgraded to 3.6.3 and I have a bug/regression : when a workstation (XP or Seven) try to authenticate, I have this error:

[2012/02/05 11:16:24.418248,  2] auth/check_samsec.c:283(sam_account_ok)
  sam_account_ok: Wksta trust account hostname$ denied by server
[2012/02/05 11:16:24.418323,  2] winbindd/winbindd_pam.c:1883(winbindd_dual_pam_auth_crap)
  NTLM CRAP authentication for user [DOMAINE]\[HOSTNAME$] returned NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (PAM: 9)

Then all workstations fail to authenticate and have Wi-Fi :-(


For your information, I look in source code, and I find this condition in auth/check_samsec.c file:

 if (acct_ctrl & ACB_WSTRUST) {
         if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
                 DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
                 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
         }
 }

I don't think workstations stop to send MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flag, then the bug is probably with handling logon_parameters. Bug 8548[*] is  interessant but the fix is already in 3.6.3 ! Another information, I try a crapy hack: disable this condition in source code and rebuild samba package: it works well!

[*] https://bugzilla.samba.org/show_bug.cgi?id=8548
Comment 1 Alejandro Escanero Blanco 2012-03-07 07:33:21 UTC
This is a important bug because force any site with 802.1x (freeradius+ntlm_auth+winbind+samba) to patch the samba code or let the computers to be authorized in 802.1x without authentication.
Comment 2 Marco Gaiarin 2014-12-05 16:23:12 UTC
I can confirm this bug also for 3.6.6 (3.6.6-6+deb7u4, debian wheezy), and i also think that have to be rated 'important', because practically make totally unuseful the machine account auth.

Other that that, i found on logs row like:

 [2014/12/01 08:47:17.920979,  0] rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client PEPPA machine account PEPPA$

i don't know if they are related, but i suppose yes.

Note that machine account get correctly upgraded, so windows box keep correctly joined to the domain.

I hope on some feedback, thanks.
Comment 3 Björn Jacke 2020-12-14 13:55:41 UTC
I don't think that this is a generic issue in recent samba releases, if you see a bug with this with Samba 4.12 oder 4.13, please file a new bug report for this.
Comment 4 Andrew Bartlett 2020-12-22 21:58:11 UTC
I'm pretty sure we fixed this a while back.