[Pkg-samba-maint] Bug#658707: samba: NTLM CRAP authentication for workstation fails with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

[Gregory Colpart]

Package: samba
Version: 2:3.6.3-1
Severity: important

Hello,

I used Samba 3.4.8 on Lenny for Wi-Fi authentification
with Freeradius+EAP/MSCHAPv2+ntlm_auth. I upgraded to
Squeeze friday. Firstly, I need to use samba from Sid because
#612049 ; secondly, I have a bug/regression : when a workstation
(XP or Seven) try to authenticate, I have this error:

[2012/02/05 11:16:24.418248,  2] auth/check_samsec.c:283(sam_account_ok)
  sam_account_ok: Wksta trust account hostname$ denied by server
[2012/02/05 11:16:24.418323,  2] winbindd/winbindd_pam.c:1883(winbindd_dual_pam_auth_crap)
  NTLM CRAP authentication for user [DOMAINE]\[HOSTNAME$] returned NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (PAM: 9)

Then all workstations fail to authenticate and have Wi-Fi :-(


For your information, I look in Samba 3 source code, and I find
this condition in auth/check_samsec.c file:

 if (acct_ctrl & ACB_WSTRUST) {
         if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
                 DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
                 return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
         }
 }

I don't think workstations stop to send MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flag,
then the bug is probably with handling logon_parameters. Samba bug 8548[*] is 
interessant but the fix is already in 3.6.3 ! Another information, I try a crapy hack:
disable this condition in source code and rebuild samba package: it works well.

[*] https://bugzilla.samba.org/show_bug.cgi?id=8548

Regards,
-- 
Gregory Colpart <reg at evolix.fr>  GnuPG:4096R/B8612B5D
Evolix - Informatique et Logiciels Libres http://www.evolix.fr/