[Samba] NT_STATUS_INVALID_WORKSTATION and SAM.workstation-restrictions

Andrew Bartlett abartlet at samba.org
Wed Apr 30 07:23:12 GMT 2003 

On Wed, 2003-04-30 at 17:11, Guenther Deschner wrote:
> hello andrew,
> 
> On Wed, Apr 30, 2003 at 03:39:34PM +1000, Andrew Bartlett wrote:
> > On Mon, 2003-04-28 at 23:27, Guenther Deschner wrote:
> > > hello,
> > > 
> > > on one larger domain-member-setup i'm currently facing the annoying
> > > NT_STATUS_INVALID_WORKSTATION error-messages, caused by user specific 
> > > workstation-restrictions that prevent users from attaching shares on that
> > > domain-member server (2.2.8a with winbind).
> > > 
> > > is there any workaround except for adding my samba-domain-member
> > > netbios-name to each user's "userWorkstations"-list in ads?
> > > 
> > > is password-validation via smbd/winbindd recognized as a user logon at the
> > > domain controller or what else causes the domain controller to send
> > > NT_STATUS_INVALID_WORKSTATION?
> > 
> > It's sending the server's name, rather than the workstation name.  
> > 
> > > any hint is greatly appreciated.
> > 
> > One of the Samba-TNG folks asked me for this at SambaXP, and I neglected
> > to code it up...
> > 
> > Completely untested, but this should do the job:
> 
> thanks a lot. will test that in a few hours and report back.
> INVALID_WORKSTATION is really causing me big headaches at the moment.
> yesterday i checked HEADs smbd that suffers *not* from this problem.  but
> obviously winbindd (either 2_2 or HEAD/3_0) receives the same
> error-message from the domain controller on several occasions. this is
> currently rendering my squid-ntlm-winbind-proxy unusable... and should be
> fixed IMHO. should I file a bugzilla-entry? 

You need to use the ntlm_auth helper on 3.0 to fix this issue.  The
squid helper doesn't know how to supply this value to winbind.  However,
the rest of Samba 3.0 has been fixed to always gets this right.

> btw: did you know that ADS refuses to accept simple ldap binds from hosts
> not in "userworkstations" ? sasl-gssapi-binds does work from these hosts
> though...

Interesting.  I think it shows a bit of the code paths used inside AD...

userWorkstations really is tied to NTLM.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030430/76fcb878/attachment.bin

More information about the samba mailing list