adds several common cases of NT Error.

bin/pyntlm_auth/log.py

@@ -32,7 +32,7 @@ def info(msg):
 
 
 def warning(msg):
-    logger.info(msg)
+    logger.warning(msg)
 
 
 def error(msg):

bin/pyntlm_auth/ms_event.py

@@ -2,6 +2,8 @@
 
 import ncache
 import utils
+import log
+
 
 EVENT_TYPE_USER_CREATED = 4720
 EVENT_TYPE_USER_ENABLED = 4722
@@ -40,7 +42,7 @@ def process_event_password_reset(event):
     account = event['TargetUserName']
     event['EventTime'] = event_time
 
-    print(f"  ---- handling event password reset : happens on {utils.to_ymd_hms(event_time)} ({event_time}) for ID {record_id}: {account}@{domain} ")
+    log.debug(f"handling event password reset : happens on {utils.to_ymd_hms(event_time)} ({event_time}) for ID {record_id}: {account}@{domain} ")
 
     key_root = ncache.build_cache_key(domain, account)
     cache_entry_root = ncache.get_cache_entry(key_root)
@@ -76,7 +78,7 @@ def process_event_password_change(event):
     account = event['TargetUserName']
     event['EventTime'] = event_time
 
-    print(f"  ---- handling event password change: happens on {utils.to_ymd_hms(event_time)} ({event_time}) for ID {record_id}: {account}@{domain} ")
+    log.debug(f"handling event password change: happens on {utils.to_ymd_hms(event_time)} ({event_time}) for ID {record_id}: {account}@{domain} ")
 
     key_root = ncache.build_cache_key(domain, account)
     cache_entry_root = ncache.get_cache_entry(key_root)

bin/pyntlm_auth/ncache.py

@@ -7,6 +7,7 @@
 
 import utils
 import datetime
+import log
 
 NT_KEY_USER_LOCKED = "*"
 NT_KEY_USER_DISABLED = "-"
@@ -286,7 +287,7 @@ def device_miss_root_hit(domain, account_username, mac, challenge, nt_response,
         cache_v_root = json.loads(c_root['value'])
         cache_v_device = cache_v_template(domain, account_username, mac)
     except Exception as e:
-        print(f"  Exception caught while handling cached authentication, error was: {e}")
+        log.warning(f"Exception caught while handling cached authentication, error was: {e}")
         return '', -1, None
 
     if is_ndl(cache_v_root['nt_status']):
@@ -357,7 +358,7 @@ def device_hit_root_hit(domain, account_username, mac, challenge, nt_response, c
         cache_v_root = json.loads(c_root['value'])
         cache_v_device = json.loads(c_device['value'])
     except Exception as e:
-        print(f"  Exception caught while handling cached authentication, error was: {e}")
+        log.warning(f"Exception caught while handling cached authentication, error was: {e}")
         return '', -1, None
 
     if is_ndl(cache_v_root['nt_status']):

bin/pyntlm_auth/rpc.py

@@ -8,6 +8,7 @@
 from samba.dcerpc.netlogon import (netr_Authenticator, MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT, MSV1_0_ALLOW_MSVCHAPV2)
 import binascii
 from samba.net import Net
+import log
 
 
 def find_dc(lp):
@@ -94,22 +95,29 @@ def init_secure_connection():
     except NTSTATUSError as e:
         error_code = e.args[0]
         error_message = e.args[1]
-        print(f"Error in init secure connection: NT_Error, error_code={error_code}, error_message={error_message}.")
-        print("Parameter used in establish secure channel are:")
-        print(f"  lp.netbios_name: {netbios_name}")
-        print(f"  lp.realm: {realm}")
-        print(f"  lp.server_string: {server_string}")
-        print(f"  lp.workgroup: {workgroup}")
-        print(f"  workstation: {workstation}")
-        print(f"  username: {username}")
-        print(f"  password: {utils.mask_password(password)}")
-        print(f"  set_NT_hash_flag: True")
-        print(f"  domain: {domain}")
-        print(f"  server_name(ad_fqdn): {server_name}")
+        log.warning(f"Error in init secure connection: NTError: {hex(error_code)}, {error_message}.")
+
+        if error_code == 0xc0000001:
+            log.warning("Did you give the wrong 'workstation' parameter in domain configuration ?")
+        if error_code == 0xc0000022:
+            log.warning("Are you using a wrong password for a machine account?")
+            log.warning("If you are in a cluster, did you re-used the machine account and reset with another password?")
+
+        log.debug("Parameter used in establish secure channel are:")
+        log.debug(f"  lp.netbios_name: {netbios_name}")
+        log.debug(f"  lp.realm: {realm}")
+        log.debug(f"  lp.server_string: {server_string}")
+        log.debug(f"  lp.workgroup: {workgroup}")
+        log.debug(f"  workstation: {workstation}")
+        log.debug(f"  username: {username}")
+        log.debug(f"  password: {utils.mask_password(password)}")
+        log.debug(f"  set_NT_hash_flag: True")
+        log.debug(f"  domain: {domain}")
+        log.debug(f"  server_name(ad_fqdn): {server_name}")
     except Exception as e:
         error_code = e.args[0]
         error_message = e.args[1]
-        print(f"Error in init secure connection: General, error_code={error_code}, error_message={error_message}.")
+        log.warning(f"Error in init secure connection: ErrCode: {error_code}, {error_message}.")
     return global_vars.s_secure_channel_connection, global_vars.s_machine_cred, error_code, error_message
 
 
@@ -180,17 +188,21 @@ def transitive_login(account_username, challenge, nt_response, domain=None):
 
             nt_key = [x if isinstance(x, str) else hex(x)[2:].zfill(2) for x in info.base.key.key]
             nt_key_str = ''.join(nt_key)
-            print(f"  Successfully authenticated '{account_username}', NT_KEY is: '{utils.mask_password(nt_key_str)}'.")
+            log.debug(f"Successfully authenticated '{account_username}', NT_KEY is: '{utils.mask_password(nt_key_str)}'.")
             return nt_key_str.encode('utf-8').strip().decode('utf-8'), 0, info
         except NTSTATUSError as e:
             nt_error_code = e.args[0]
             nt_error_message = f"NT Error: code: {nt_error_code}, message: {str(e)}"
-            print(f"  Failed while authenticating user: '{account_username}' with NT Error: {e}.")
+            log.warning(f"Failed authenticating user: '{account_username}' with NT Error: {e}.")
+
+            if error_code == 0xc0000022:
+                log.warning("Is this machine account is shared by another ntlm_auth process (or another cluster node)?")
+
             global_vars.s_reconnect_id = global_vars.s_connection_id
             return nt_error_message, nt_error_code, None
         except Exception as e:
             global_vars.s_reconnect_id = global_vars.s_connection_id
-            print(f"  Failed while authenticating user: '{account_username}' with General Error: {e}.")
+            log.debug(f"Failed while authenticating user: '{account_username}' with General Error: {e}.")
             if isinstance(e.args, tuple) and len(e.args) > 0:
                 return f"General Error: code {e.args[0]}, {str(e)}", e.args[0], None
             else:

bin/pyntlm_auth/t_sdnotify.py

@@ -8,7 +8,6 @@ def sd_notify():
     n.notify("READY=1")
     count = 1
     while True:
-        # print("Running... {}".format(count))
         n.notify("STATUS=Count is {}".format(count))
         count += 1
         time.sleep(30)

bin/pyntlm_auth/utils.py

@@ -3,6 +3,8 @@
 import constants
 import dns.resolver
 import pytz
+import log
+
 
 # simplified IPv4 validator.
 def is_ipv4(address):
@@ -81,13 +83,13 @@ def find_ldap_servers(domain, dns_server):
         return ldap_servers
 
     except dns.resolver.NoAnswer:
-        print(f'No SRV records found for {query_name}')
+        log.debug(f'No SRV records found for {query_name}')
         return []
     except dns.resolver.NXDOMAIN:
-        print(f'Domain {domain} does not exist')
+        log.debug(f'Domain {domain} does not exist')
         return []
     except Exception as e:
-        print(f'An error occurred: {e}')
+        log.debug(f'An error occurred: {e}')
         return []