[Samba] NT_STATUS_INVALID_WORKSTATION and
SAM.workstation-restrictions
Guenther Deschner
gd at suse.de
Wed Apr 30 15:00:23 GMT 2003
hallo andrew,
On Wed, Apr 30, 2003 at 05:23:12PM +1000, Andrew Bartlett wrote:
> > > > is password-validation via smbd/winbindd recognized as a user logon at the
> > > > domain controller or what else causes the domain controller to send
> > > > NT_STATUS_INVALID_WORKSTATION?
> > >
> > > It's sending the server's name, rather than the workstation name.
> > >
> > > > any hint is greatly appreciated.
> > >
> > > One of the Samba-TNG folks asked me for this at SambaXP, and I neglected
> > > to code it up...
> > >
> > > Completely untested, but this should do the job:
> --- smbd/password.c 7 Apr 2003 15:15:53 -0000 1.186.2.72
> +++ smbd/password.c 30 Apr 2003 05:39:10 -0000
> @@ -1500,6 +1500,7 @@
> BOOL connected_ok = False;
> time_t last_change_time;
> NTSTATUS status;
> + const char *workstation_name;
>
> if (pptoken)
> *pptoken = NULL;
> @@ -1609,8 +1610,14 @@
> generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
>
> ZERO_STRUCT(info3);
> +
> + if (*remote_machine) {
> + workstation_name = remote_machine;
hm. remote_machine is one of my dcs.
> + } else {
> + workstation_name = global_myname;
and global_myname is my own netbios-name (this is the name that causes the
dc to send NT_STATUS_INVALID_WORKSTATION).
> + }
>
> - status = cli_nt_login_network(pcli, domain, user, smb_uid_low,
> (char *)local_challenge,
> + status = cli_nt_login_network(pcli, domain, user,
> workstation_name, smb_uid_low, (char *)local_challenge,
> ((smb_apasslen != 0) ? smb_apasswd : NULL),
> ((smb_ntpasslen != 0) ? smb_ntpasswd : NULL),
> &ctr, &info3);
cli_nt_login_network does not take workstation_name as an argument. i
looked through the code but did not found anything comparable to the
user_info-structure that holds the client-workstation name in 3_0. seems
to be difficult to pass the client-workstation-name to the dc in 2_2.
> You need to use the ntlm_auth helper on 3.0 to fix this issue. The
> squid helper doesn't know how to supply this value to winbind. However,
> the rest of Samba 3.0 has been fixed to always gets this right.
fine. when i manually invoke the ntlm_auth-helper (with a workstation-name
that is one of userworkstations) this works fine. i did not yet test
squid. how will the helper be invoked? do i just call it w/o arguments
like wb_ntlmauth and wb_auth as auth_param (basic|ntlm) program ? will the
helper then receive the clients netbios-name?
thanks a lot for your help,
guenther
--
Guenther Deschner gd at suse.de
SuSE Linux AG GnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
D-13507 Berlin fax: +49 (0) 30 / 43732804
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20030430/0e617ab2/attachment.bin
More information about the samba
mailing list