[Samba] NT_STATUS_INVALID_WORKSTATION and SAM.workstation-restrictions

Guenther Deschner gd at suse.de
Wed Apr 30 15:00:23 GMT 2003 

hallo andrew,

On Wed, Apr 30, 2003 at 05:23:12PM +1000, Andrew Bartlett wrote:
> > > > is password-validation via smbd/winbindd recognized as a user logon at the
> > > > domain controller or what else causes the domain controller to send
> > > > NT_STATUS_INVALID_WORKSTATION?
> > > 
> > > It's sending the server's name, rather than the workstation name.  
> > > 
> > > > any hint is greatly appreciated.
> > > 
> > > One of the Samba-TNG folks asked me for this at SambaXP, and I neglected
> > > to code it up...
> > > 
> > > Completely untested, but this should do the job:

> --- smbd/password.c     7 Apr 2003 15:15:53 -0000       1.186.2.72
> +++ smbd/password.c     30 Apr 2003 05:39:10 -0000
> @@ -1500,6 +1500,7 @@
>         BOOL connected_ok = False;
>         time_t last_change_time;
>         NTSTATUS status;
> +       const char *workstation_name;
> 
>         if (pptoken)
>                 *pptoken = NULL;
> @@ -1609,8 +1610,14 @@
>         generate_random_buffer( (unsigned char *)&smb_uid_low, 4, False);
> 
>         ZERO_STRUCT(info3);
> +
> +       if (*remote_machine) {
> +               workstation_name = remote_machine;

hm. remote_machine is one of my dcs. 

> +       } else {
> +               workstation_name = global_myname;

and global_myname is my own netbios-name (this is the name that causes the
dc to send NT_STATUS_INVALID_WORKSTATION).

> +       }
> 
> -       status = cli_nt_login_network(pcli, domain, user, smb_uid_low,
>         (char *)local_challenge,
> +       status = cli_nt_login_network(pcli, domain, user,
> workstation_name, smb_uid_low, (char *)local_challenge,
>                                 ((smb_apasslen != 0) ? smb_apasswd : NULL),
>                                 ((smb_ntpasslen != 0) ? smb_ntpasswd : NULL),
>                                 &ctr, &info3);

cli_nt_login_network does not take workstation_name as an argument. i
looked through the code but did not found anything comparable to the
user_info-structure that holds the client-workstation name in 3_0. seems
to be difficult to pass the client-workstation-name to the dc in 2_2.

> You need to use the ntlm_auth helper on 3.0 to fix this issue.  The
> squid helper doesn't know how to supply this value to winbind.  However,
> the rest of Samba 3.0 has been fixed to always gets this right.

fine. when i manually invoke the ntlm_auth-helper (with a workstation-name
that is one of userworkstations) this works fine. i did not yet test
squid. how will the helper be invoked? do i just call it w/o arguments
like wb_ntlmauth and wb_auth as auth_param (basic|ntlm) program ? will the
helper then receive the clients netbios-name?

thanks a lot for your help,
guenther

-- 
Guenther Deschner                                         gd at suse.de
SuSE Linux AG                                        GnuPG: 8EE11688
Berliner Str. 27                      phone:  +49 (0) 30 / 430944778
D-13507 Berlin                           fax:  +49 (0) 30 / 43732804
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20030430/0e617ab2/attachment.bin

More information about the samba mailing list