[Samba] NT_STATUS_INVALID_WORKSTATION and SAM.workstation-restrictions

Guenther Deschner gd at suse.de
Wed Apr 30 07:11:08 GMT 2003 

hello andrew,

On Wed, Apr 30, 2003 at 03:39:34PM +1000, Andrew Bartlett wrote:
> On Mon, 2003-04-28 at 23:27, Guenther Deschner wrote:
> > hello,
> > 
> > on one larger domain-member-setup i'm currently facing the annoying
> > NT_STATUS_INVALID_WORKSTATION error-messages, caused by user specific 
> > workstation-restrictions that prevent users from attaching shares on that
> > domain-member server (2.2.8a with winbind).
> > 
> > is there any workaround except for adding my samba-domain-member
> > netbios-name to each user's "userWorkstations"-list in ads?
> > 
> > is password-validation via smbd/winbindd recognized as a user logon at the
> > domain controller or what else causes the domain controller to send
> > NT_STATUS_INVALID_WORKSTATION?
> 
> It's sending the server's name, rather than the workstation name.  
> 
> > any hint is greatly appreciated.
> 
> One of the Samba-TNG folks asked me for this at SambaXP, and I neglected
> to code it up...
> 
> Completely untested, but this should do the job:

thanks a lot. will test that in a few hours and report back.
INVALID_WORKSTATION is really causing me big headaches at the moment.
yesterday i checked HEADs smbd that suffers *not* from this problem.  but
obviously winbindd (either 2_2 or HEAD/3_0) receives the same
error-message from the domain controller on several occasions. this is
currently rendering my squid-ntlm-winbind-proxy unusable... and should be
fixed IMHO. should I file a bugzilla-entry? 

btw: did you know that ADS refuses to accept simple ldap binds from hosts
not in "userworkstations" ? sasl-gssapi-binds does work from these hosts
though...

thanks again,
guenther
-- 
Guenther Deschner                                         gd at suse.de
SuSE Linux AG                                        GnuPG: 8EE11688
Berliner Str. 27                      phone:  +49 (0) 30 / 430944778
D-13507 Berlin                           fax:  +49 (0) 30 / 43732804
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20030430/ee10d9b6/attachment.bin

More information about the samba mailing list