[MS-NRPC] Section 3.3.1 Netlogon as a Security Support Provider - Abstract Data Model is a bit confusing, as it talks about ClientSequenceNumber and ServerSequenceNumber. But each peer just have one Sequence_Number counter, which is incremented with each outgoing and incoming message, this sadly implies that client and server have to do the message processing sequentially. source4/winbind uses schannel against a server (also to itself) and may send multiple outstanding requests over one DCERPC connection, which results in message verification errors. The code doesn't recover from this situation. Arvid, as you reported this problem to me a while ago, can add some more details how this was triggered?
At that time we tried using squid authentication via ntlm_auth with --helper-protocol=squid-2.5-ntlmssp against source4/winbind. Parallel/concurrent authentication requests resulted in NT_STATUS_ACCESS_DENIED/NT_STATUS_IO_TIMEOUT. E.g. accessing a single webpage via squid, triggering several authentication requests, showed two successfull authentiactions via ntlm_auth in squid cache.log but after that the next two overlapping authentication requests failed, one with NT_STATUS_ACCESS_DENIED and the other one with NT_STATUS_IO_TIMEOUT. log.samba shows a "rpc fault: WERR_ACCESS_DENIED" ( https://forge.univention.org/bugzilla/attachment.cgi?id=4111 ).
Steps to reproduce: root@dc:~/samba# ./bin/wbinfo -a Administrator%Passw0rd plaintext password authentication succeeded challenge/response password authentication succeeded root@dc:~/samba# for i in $(seq 1 2) ; do { ./bin/wbinfo -a Administrator%Passw0rd & } ; done [1] 22731 [2] 22732 root@dc:~/samba# plaintext password authentication failed Could not authenticate user Administrator%Passw0rd with plaintext password plaintext password authentication failed Could not authenticate user Administrator%Passw0rd with plaintext password challenge/response password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) error message was: Access denied Could not authenticate user Administrator with challenge/response challenge/response password authentication failed error code was NT_STATUS_ACCESS_DENIED (0xc0000022) error message was: Access denied Could not authenticate user Administrator with challenge/response
b05d28ebddb7ebd4f8e28a80489fceb8703a9868 in master should fix this.