Hi DocHelp, I had the situation where a Windows 2012 DC returns NT_STATUS_ACCESS_DENIED for all NetrLogonSamLogonEx requests.
I finally managed to find that the DC didn't provide SYSVOL and NETLOGON shares, this led to checking the SYSVOLReady key and it was 0. (Under HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters) After manually changing SYSVOLReady to 1 (just for short term testing) NetrLogonSamLogonEx() worked fine. I guess the following section in [MS-NRPC] 3.5.4.5.1 NetrLogonSamLogonEx is supposed to describe this: If the server cannot service the request due to an implementation-specific condition, the server SHOULD return STATUS_ACCESS_DENIED. Can this please be extended maybe with a windows behavior note, proposing SYSVOLReady = 0 as a possible reason for this behavior. Is there more affected by this registry key than all NetrLogonSamLogon* calls. I'm wondering why [MS-ADTS] 6.3.3 LDAP Ping or 6.3.5 Mailslot Ping would still return "normal" results in that case. As Samba made use of such a DC, I'd guess yes, but I haven't verified if we just ignore a LOGON_SAM_PAUSE_RESPONSE* response. Thanks! metze
signature.asc
Description: OpenPGP digital signature
_______________________________________________ cifs-protocol mailing list cifs-protocol@lists.samba.org https://lists.samba.org/mailman/listinfo/cifs-protocol