Tags Tags

Bug#658707: samba: NTLM CRAP authentication for workstation fails with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

February 05th, 2012 - 08:10 am ET by Gregory Colpart | Report spam
Help Create a new topic
Package: samba
Version: 2:3.6.3-1
Severity: important

Hello,

I used Samba 3.4.8 on Lenny for Wi-Fi authentification
with Freeradius+EAP/MSCHAPv2+ntlm_auth. I upgraded to
Squeeze friday. Firstly, I need to use samba from Sid because
#612049 ; secondly, I have a bug/regression : when a workstation
(XP or Seven) try to authenticate, I have this error:

[2012/02/05 11:16:24.418248, 2] auth/check_samsec.c:283(sam_account_ok)
sam_account_ok: Wksta trust account hostname$ denied by server
[2012/02/05 11:16:24.418323, 2] winbindd/winbindd_pam.c:1883(winbindd_dual_pam_auth_crap)
NTLM CRAP authentication for user [DOMAINE]\[HOSTNAME$] returned NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (PAM: 9)

Then all workstations fail to authenticate and have Wi-Fi :-(


For your information, I look in Samba 3 source code, and I find
this condition in auth/check_samsec.c file:

if (acct_ctrl & ACB_WSTRUST) {
if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server", pdb_get_username(sampass)));
return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
}
}

I don't think workstations stop to send MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flag,
then the bug is probably with handling logon_parameters. Samba bug 8548[*] is
interessant but the fix is already in 3.6.3 ! Another information, I try a crapy hack:
disable this condition in source code and rebuild samba package: it works well.

[*] https://bugzilla.samba.org/show_bug.cgi?id…48

Regards,
Gregory Colpart <reg@evolix.fr> GnuPG:4096R/B8612B5D
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/



To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
email Follow the discussionReplies 1 replyReplies Make a reply

Replies

#1 Christian PERRIER
February 05th, 2012 - 12:10 pm ET | Report spam

Quoting Gregory Colpart ():
Package: samba
Version: 2:3.6.3-1
Severity: important

Hello,

I used Samba 3.4.8 on Lenny for Wi-Fi authentification
with Freeradius+EAP/MSCHAPv2+ntlm_auth. I upgraded to
Squeeze friday. Firstly, I need to use samba from Sid because
#612049 ; secondly, I have a bug/regression : when a workstation
(XP or Seven) try to authenticate, I have this error:

[2012/02/05 11:16:24.418248, 2] auth/check_samsec.c:283(sam_account_ok)
sam_account_ok: Wksta trust account hostname$ denied by server
[2012/02/05 11:16:24.418323, 2] winbindd/winbindd_pam.c:1883(winbindd_dual_pam_auth_crap)
NTLM CRAP authentication for user [DOMAINE]\[HOSTNAME$] returned NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (PAM: 9)

Then all workstations fail to authenticate and have Wi-Fi :-(


For your information, I look in Samba 3 source code, and I find
this condition in auth/check_samsec.c file:

if (acct_ctrl & ACB_WSTRUST) {
if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server", pdb_get_username(sampass)));
return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
}
}

I don't think workstations stop to send MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flag,
then the bug is probably with handling logon_parameters. Samba bug 8548[*] is
interessant but the fix is already in 3.6.3 ! Another information, I try a crapy hack:
disable this condition in source code and rebuild samba package: it works well.

[*] https://bugzilla.samba.org/show_bug.cgi?id=8548



As you have everything to reproduce the problem, would you mind
reporting this upstream? I thiunk it'll be much better handled there
and there is not much value added in /me proxying the bug report.

That would be very appreciated, Gregory.








To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

Similar topics

Make your own search :