[Pkg-samba-maint] Bug#658707: Bug#658707: samba: NTLM CRAP authentication for workstation fails with NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT

Christian PERRIER bubulle at debian.org
Sun Feb 5 17:00:07 UTC 2012 

Quoting Gregory Colpart (reg at evolix.fr):
> Package: samba
> Version: 2:3.6.3-1
> Severity: important
> 
> Hello,
> 
> I used Samba 3.4.8 on Lenny for Wi-Fi authentification
> with Freeradius+EAP/MSCHAPv2+ntlm_auth. I upgraded to
> Squeeze friday. Firstly, I need to use samba from Sid because
> #612049 ; secondly, I have a bug/regression : when a workstation
> (XP or Seven) try to authenticate, I have this error:
> 
> [2012/02/05 11:16:24.418248,  2] auth/check_samsec.c:283(sam_account_ok)
>   sam_account_ok: Wksta trust account hostname$ denied by server
> [2012/02/05 11:16:24.418323,  2] winbindd/winbindd_pam.c:1883(winbindd_dual_pam_auth_crap)
>   NTLM CRAP authentication for user [DOMAINE]\[HOSTNAME$] returned NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (PAM: 9)
> 
> Then all workstations fail to authenticate and have Wi-Fi :-(
> 
> 
> For your information, I look in Samba 3 source code, and I find
> this condition in auth/check_samsec.c file:
> 
>  if (acct_ctrl & ACB_WSTRUST) {
>          if (!(user_info->logon_parameters & MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)) {
>                  DEBUG(2,("sam_account_ok: Wksta trust account %s denied by server\n", pdb_get_username(sampass)));
>                  return NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT;
>          }
>  }
> 
> I don't think workstations stop to send MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT flag,
> then the bug is probably with handling logon_parameters. Samba bug 8548[*] is 
> interessant but the fix is already in 3.6.3 ! Another information, I try a crapy hack:
> disable this condition in source code and rebuild samba package: it works well.
> 
> [*] https://bugzilla.samba.org/show_bug.cgi?id=8548

As you have everything to reproduce the problem, would you mind
reporting this upstream? I thiunk it'll be much better handled there
and there is not much value added in /me proxying the bug report.

That would be very appreciated, Gregory.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20120205/9c83ae3d/attachment.pgp>

More information about the Pkg-samba-maint mailing list