How to Enable Debug Logging for the Net Logon Service

Issue

This document details steps to enable debug logging for the Net Logon service. Enabling this log will help the administrator troubleshoot authentication problems for Active Directory user accounts and should prove especially useful while troubleshooting authentication issues from winbind-enabled RHEL  workstations.

To enable debugging for the Net Logon service under Windows 2003/2008 Server:

   1. Log on as Administrator (or other account with equivalent rights)

   2. In a command prompt window, type the following command to set the debug flag on:

nltest /dbflag:0x2080ffff

   3. Stop and restart the Net Logon service:

net stop logon
net start logon

To disable debug logging, type the following command set the debug flag off, followed by a stop and restart of the Net Logon service as described in Step 2:

nltest /dbflag:0x0

The  debug log will be located in C:\WINDOWS\Debug and is named  Netlogon.log. From this log, you can observe "AD pings" from client  workstations and user logon attempts.

Here  are two examples of log entries that shows a user (Administrator)  initiating a SSH session into a RHEL workstation; the user's account and  credentials are stored in Active Directory and the workstation is using  winbind to communicate with the domain controller. The first example  shows a successful login with the proper password; the second example  shows what appears in the log when an incorrect password is used to  authenticate:

Example 1: Correct user password used

12/22 13:19:09 [LOGON] SEGAD: SamLogon: Network logon of SEGAD\administrator from \\SEGAD-SMB-1 (via SEGAD-SMB-1) Entered
12/22 13:19:09 [LOGON] SEGAD: SamLogon: Network logon of SEGAD\administrator from \\SEGAD-SMB-1 (via SEGAD-SMB-1) Returns 0x0

Example 2: Incorrect password used

12/22 13:20:52 [LOGON] SEGAD: SamLogon: Network logon of SEGAD\administrator from \\SEGAD-SMB-1 (via SEGAD-SMB-1) Entered
12/22 13:20:52 [LOGON] SEGAD: SamLogon: Network logon of SEGAD\administrator from \\SEGAD-SMB-1 (via SEGAD-SMB-1) Returns 0xC000006A
12/22 13:20:58 [LOGON] SEGAD: SamLogon: Network logon of SEGAD\administrator from \\SEGAD-SMB-1 (via SEGAD-SMB-1) Entered
12/22 13:20:58 [LOGON] SEGAD: SamLogon: Network logon of SEGAD\administrator from \\SEGAD-SMB-1 (via SEGAD-SMB-1) Returns 0xC000006A

The error code 0xC000006A indicates a bad password per Microsoft documentation

Hexadecimal error codes can be translated using Microsoft's Error Code Lookup Tool:
http://www.microsoft.com/en-us/download/details.aspx?id=985

Summary:  Enabling debug logging for the Net Logon service can help with  troubleshooting efforts related to user authentication under Active  Directory.