On 13/07/2011 01:27, Edgar Olougouna wrote:
Matthieu,
It appears that the behavior you observed is by design. From the debugger, the
Netlogon service is running in the following condition.
If the Netlogon service is paused or the Sysvol is not in ready state, only
logons from inside the machine (MsvApSecureChannel) and logons from a BDC in
the domain (ServerSecureChannel ) can be accepted.
The data shows that your Netlogon service is in a running state but your Sysvol
is not in a ready state. Since the secure channel type is
WorkstationSecureChannel, the NetrLogonSamLogonEx call is rejected with
STATUS_ACCESS_DENIED.
I guess you have to update the documentation to add this to the reasons
why we should return status access denied, or because the sysvol is not
in the ready state it means that " the client is not using a secure RPC
(schannel)."
For the later I must confess that it would be quite strange as I would
have rather say: "if the netlogon service is paused of if the sysvol is
not in a ready state then we concider that the client is not using a
secure RPC".
Personally I would have understood directly if the 3.5.4.4.1 paragraph
would have said: "if the netlogon service is paused of if the sysvol is
not in a ready state _or_ if the client is not using a secure RPC" then
we return ACCESS_DENIED.
Do you recall the sequence of tests you performed before this error surfaced?
Oh it's a simple DC join on a samba domain, but as we don't support
(yet) FRS or DFR it's quite normal that the sysvol can't be replicated.
Based on the information above, can you reconcile this with the sequence of
tests you performed?
Yeah it looks quite understandable. The question is, is there a way to
put the sysvol in a ready state when the frs replication is not working
(because for instance the other DC didn't implement it).
Matthieu.
Regards,
Edgar
-----Original Message-----
From: Edgar Olougouna
Sent: Tuesday, July 12, 2011 3:23 PM
To: '[email protected]'
Cc: Hongwei Sun; [email protected]; [email protected]
Subject: RE: [cifs-protocol] [REG:111071166110452] access denied in
NetrLogonSamLogonEx
Matthieu,
Thanks for the pointer. I was sure one of the version was not in sync. I
updated my debugger and the ttt utility and can now load the trace.
I will update you on the progress of my investigation.
Regards,
Edgar
-----Original Message-----
From: Matthieu Patou [mailto:[email protected]]
Sent: Tuesday, July 12, 2011 2:38 PM
To: Edgar Olougouna
Cc: Hongwei Sun; [email protected]; [email protected]
Subject: Re: [cifs-protocol] [REG:111071166110452] access denied in
NetrLogonSamLogonEx
Hi Edgar,
Far from me the will to avoid redoing things but I have the impression that it
will be pointless.
The version that you send me is the one that I was using a couple of days ago,
and Hongwei wasn't able to read them so he send me a more recent version of ttt.
Your is 1084928 2009-09-29 23:11 TTTSetup_x86_external.msi His is 1085440
2010-05-24 22:14 TTTSetup_x86_external.msi
My system is Windows 2003r2 32 bits standard edition.
MD5 of files are (with md5sum on Linux):
449a9575b6fc1ae6f15024d38a10027d lsass01.out
ff6870df75b548577b95e1dbf1d52e52 lsass01.run
For the reference md5sum on your installer is
fab4b7523105463ce1a4d3e9dd7dd201 TTTSetup_x86_external.msi
Can you see with hongwei ? Just because the transfer could have broke the
files, I just reuploaded them.
Matthieu.
On 12/07/2011 21:05, Edgar Olougouna wrote:
Matthieu,
I copied over the files you previously sent to Hongwei. But unfortunately my
debugger cannot open them. It's not clear whether they are corrupted. I tried
both 32bit and 64bit debuggers.
I need you capture new traces with the version of TTT utility I uploaded for
you at the workspace. You need to download this TTT, uninstall any previous
version you had and install the one I sent. It is in MSExternal.zip.
Workspace location:
https://sftemea.one.microsoft.com/choosetransfer.aspx?key=11d7e2fb-4f3
e-48ff-ad69-e46f60c84cf6 I am re-sending the password in a separate
email.
Please send the new TTT trace and a full network capture as well.
Thanks,
Edgar
-----Original Message-----
From: Hongwei Sun
Sent: Monday, July 11, 2011 4:52 PM
To: Edgar Olougouna; [email protected]
Cc: [email protected]; [email protected]
Subject: RE: [cifs-protocol] [REG:111071166110452] access denied in
NetrLogonSamLogonEx
Edgar,
Matthieu already transferred the files to one workspace I created for him
in another case. I will give you the access to that workspace.
Matthieu,
You don't need to do it again.
Hongwei
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Edgar Olougouna
Sent: Monday, July 11, 2011 4:50 PM
To: [email protected]
Cc: [email protected]; [email protected]
Subject: [cifs-protocol] [REG:111071166110452] access denied in
NetrLogonSamLogonEx
[Adding case information in subject]
Matthieu,
I am happy to look into this for you. I have created the following workspace
for this case. Please upload the traces to this location. I will be sending the
password in a separate email.
Workspace location:
https://sftemea.one.microsoft.com/choosetransfer.aspx?key=11d7e2fb-4f3
e-48ff-ad69-e46f60c84cf6
For case tracking record, please note that we use one workspace per customer
support case. That way, once you upload a trace and send us data, they are
linked to that particular case and available to whoever is investigating the
case.
Regards,
Edgar
-----Original Message-----
From: Matthieu Patou [mailto:[email protected]]
Sent: Monday, July 11, 2011 1:18 PM
To: [email protected]
Cc: Interoperability Documentation Help; [email protected];
[email protected]
Subject: Re: [cifs-protocol] access denied in NetrLogonSamLogonEx
On 11/07/2011 21:39, Matthieu Patou wrote:
Dear doc help,
I'm receving a STATUS_ACCESS_DENIED when using ntlm_auth against a
Windows 2003 DC.
According to the NRPC.pdf paragraph 3.5.4.4.1, the server is supposed
to return ACCESS_DENIED if the client is not using a secure RPC
(schannel).
In this particular case it's not the case as we can see that the
information are encapsulated in a schannel communication. What are
the other reasons for Windows to return this error ?
The same call on a Samba4 DC in the same domain is OK, I configured
the domain to not keep the lan manager password.
Matthieu.
I'm also uploading in the link sent by hongwei on the first of july (the one
which finish by c3ef297d3290) a tttrace, the network capture and the extract
of the netrlogonsamlogonex for packet 115.
Matthieu.
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
