[Samba] Auth Failure for Restricted User Account
Mike Ruebner
samba at machichemicals.com
Mon Oct 9 22:06:59 UTC 2023
TL;DR: Setting a "log on to:" restriction on an AD user object breaks access
to file server resources for that user, such as redirected folders. Path to
resources uses an alias for respective file servers at two different
locations, which results in mixed Kerberos/NTLMv2 authentication. This works
for unrestricted user access, but fails with 'NT_STATUS_INVALID_WORKSTATION'
once a user's logon is restricted to a specific workstation. Is that
expected behavior and/or are there any .conf settings to mitigate?
TIA
Mike
Long version:
Two (replicated) file servers for the same domain with an DNS alias pointing
to the respective host address on different subnets. This gives me a mixed
Kerberos/NTLMv2 bag for authentication to file server resources, such as
redirected folders and home drives. Not pretty, but we have a couple of
users moving back & forth between two office locations. This is how it plays
out on the DC (auth_audit:3) when a user logs on to his device and pulls his
redirected folders off of one of those servers (notation changed to protect
the innocent):
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[thisuser at MYDOMAIN] at [Mon, 09 Oct 2023 00:12:32.389569 EDT] with
[aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation [(null)] remote
host [ipv4:192.168.3.199:61533] became [MYDOMAIN]\[thisuser]
[S-1-5-21-3262729435-2213235217-2489999418-1157]. local host [NULL]
Auth: [SamLogon,network] user [MYDOMAIN]\[thisuser] at [Mon, 09 Oct 2023
00:12:32.655551 EDT] with [NTLMv2] status [NT_STATUS_OK] workstation
[\\\\TESTWORKSTATION] remote host [ipv4:192.168.3.3:51770] became
[MYDOMAIN]\[thisuser] [S-1-5-21-3262729435-2213235217-2489999418-1157].
local host [ipv4:192.168.3.2:49152] NETLOGON computer [FILESSERVER2] trust
account [FILESERVER2$]
This fails with 'NT_STATUS_INVALID_WORKSTATION' once I introduce logon
restrictions to the account:
Auth: [Kerberos KDC,ENC-TS Pre-authentication] user
[(null)]\[thisuser at MYDOMAIN.TLD.COM] at [Mon, 09 Oct 2023 00:00:08.300583
EDT] with [aes256-cts-hmac-sha1-96] status [NT_STATUS_OK] workstation
[(null)] remote host [ipv4:192.168.3.199:61474] became [MYDOMAIN]\[thisuser]
[S-1-5-21-3262729435-2213235217-2489999418-3141]. local host [NULL]
Auth: [SamLogon,network] user [MYDOMAIN]\[thisuser] at [Mon, 09 Oct 2023
00:00:08.314497 EDT] with [NTLMv2] status [NT_STATUS_INVALID_WORKSTATION]
workstation [\\\\TESTWORKSTATION] remote host [ipv4:192.168.3.3:51770]
mapped to [MYDOMAIN]\[thisuser]. local host [ipv4:192.168.3.2:49152]
NETLOGON computer [FILESERVER2] trust account [FILESERVER2$]
File server output:
Auth: [SMB2,(null)] user [MYDOMAIN]\[thisuser] at [Mon, 09 Oct 2023
16:03:56.718823 EDT] with [NTLMv2] status [NT_STATUS_INVALID_WORKSTATION]
workstation [TESTWORKSTATION] remote host [ipv4:192.168.3.199:50579] mapped
to [MYDOMAIN]\[thisuser]. local host [ipv4:192.168.3.3:445]
testparm output on DC (4.17.10-Debian):
[global]
bind interfaces only = Yes
disable netbios = Yes
disable spoolss = Yes
interfaces = lo eno1
load printers = No
ntlm auth = mschapv2-and-ntlmv2-only
passdb backend = samba_dsdb
printcap name = /dev/null
realm = MYDOMAIN.TLD.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
smb ports = 445
workgroup = KOP
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap config * : backend = tdb
map archive = No
printing = bsd
vfs objects = dfs_samba4 acl_xattr
testparm output on file server (4.17.10-Debian):
[global]
bind interfaces only = Yes
dedicated keytab file = /etc/krb5.keytab
disable netbios = Yes
disable spoolss = Yes
dns proxy = No
domain master = No
hostname lookups = Yes
interfaces = lo eno1
kerberos method = secrets and keytab
load printers = No
local master = No
log file = /var/log/samba/system.log
min domain uid = 0
preferred master = No
printcap name = /dev/null
realm = MYDOMAIN.TLD.COM
security = ADS
server role = member server
server signing = required
smb ports = 445
template homedir = /home/%U
template shell = /bin/bash
username map = /etc/samba/usermap
winbind enum groups = Yes
winbind enum users = Yes
winbind refresh tickets = Yes
winbind use default domain = Yes
workgroup = KOP
idmap config kop : range = 10000-999999
idmap config kop : backend = rid
idmap config * : range = 3000-7999
idmap config * : backend = tdb
hosts allow = 192.168.
map acl inherit = Yes
printing = bsd
vfs objects = acl_xattr
More information about the samba
mailing list