[Samba] NT_STATUS_INVALID_WORKSTATION and
SAM.workstation-restrictions
Guenther Deschner
gd at suse.de
Tue May 13 15:50:44 GMT 2003
hello andrew,
On Thu, May 01, 2003 at 11:55:55AM +1000, Andrew Bartlett wrote:
> > > You need to use the ntlm_auth helper on 3.0 to fix this issue. The
> > > squid helper doesn't know how to supply this value to winbind. However,
> > > the rest of Samba 3.0 has been fixed to always gets this right.
> >
> > fine. when i manually invoke the ntlm_auth-helper (with a workstation-name
> > that is one of userworkstations) this works fine. i did not yet test
> > squid. how will the helper be invoked? do i just call it w/o arguments
> > like wb_ntlmauth and wb_auth as auth_param (basic|ntlm) program ? will the
> > helper then receive the clients netbios-name?
>
> I think I better document that a bit better!
>
> --helper-protocol=squid-2.5-ntlmssp should do the job.
>
> The client tells the server what it claims it's netbios name to be in
> the NTLMSSP exchange. Nobody told you this was secure I hope! :-)
just a quick feedback:
we have squid-2.5-stable2 with ntlm_auth and 3_0 winbind (before the
idmap-commit) running now. ntlm_auth is configured as basic and as ntlm
helper. in all recent SuSE-distributions squid runs as user squid (not
chrooted) thus we realized access to the priviledged winbind-pipe with a
simple posix-acl (that survives winbind-restart).
thanks a *lot*,
guenther
--
Guenther Deschner gd at suse.de
SuSE Linux AG GnuPG: 8EE11688
Berliner Str. 27 phone: +49 (0) 30 / 430944778
D-13507 Berlin fax: +49 (0) 30 / 43732804
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20030513/6bac971b/attachment.bin
More information about the samba
mailing list