[Bug 526464] Re: intermittent authentication: check_ntlm_password: Authentication for user [someuser] -> [someuser] FAILED with error NT_STATUS_ACCESS_DENIED

Joseph Salisbury joseph.salisbury at canonical.com
Wed Mar 16 19:41:16 UTC 2011 

@Surbhi,

I uploaded two additional wireshark traces.  These traces are for the
same two machines, but from an earlier date.  The two wireshark traces
show sucessful auths and failures for both users(service_bhavnacrysta
and crystaluser).

I also uploaded the samba log for this time period.  The log file name
is: crystal3.log.

In the logs, the error happened at 13:45

Here is some analysis I did for the system crystal3.  The wireshark filename is crystal3_2011-01-25_1345.pcap.
Note, A useful way to only see failures is to use this filter:
smb.cmd == 0x73

Wireshark analisys for file crystal3_2011-01-25_1345.pcap:
Failures for user crystaluser(Packet No.):
14504 with response in 14507
14516 wiht response in 14519

Successful auths for user crystaluser(Packet No.):
24 with response in 25
402 with resposne in 506

Failures for user service_bhavnacrysta(Packet No.):
14904 with response in 14905
14910 with response in 14911

Successful auth for user service_bhavnacrysta(Packet No.):
11974 with response in 11976

I noticed one thing when comparing the succuessful auths with the failed
auths.  Under the SMB Header, the User ID for the successful auth has
(SCHDY\crystaluser) and also reports the Primary Domain and Account.
For the failed auth this field only reports the User ID.  There is also
many more fields under the "Sessioni Setup AndX Respons section for the
successful login.  Maybe this is just a sign that the login was
unsucessful?  I created a screenshot comparing a failed auth(On the
left) and a successful auth(On the right of the screenshot).  The screen
shot is named wireshark_auth_comp_screenshot.png.


Wireshark analisys for file fs1_2011-01-25_1345.pcap
Failures for user crystaluser(Packet No.):
10485 with response in 10488
10497 with response in 10500

Successful auths for user crystaluser(Packet No.):
8 with a response in 9
151 with a response in 153

Failures for user service_bhavnacrysta(Packet No.):
10875 with response in 10876
10881 with response in 10882

Successful auth for user service_bhavnacrysta(Packet No.):
8715 with a response in 8717

One other thing I noticed in the Samba log file.  All successful authentications have this(Notice fetch_gid_from_cache):
[2011/01/24 10:23:46, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
  fetch gid from cache 10001 -> S-1-5-21-1870800502-1360593094-619646970-513
[2011/01/24 10:23:46, 3] auth/auth.c:check_ntlm_password(270)
  check_ntlm_password: winbind authentication for user [crystaluser] succeeded

All the failures are missing this line.  Maybe this indicates something
cache related?

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in ubuntu.
https://bugs.launchpad.net/bugs/526464

Title:
  intermittent authentication: check_ntlm_password:  Authentication for
  user [someuser] -> [someuser] FAILED with error
  NT_STATUS_ACCESS_DENIED

More information about the Ubuntu-server-bugs mailing list