[Samba] NT_STATUS_INVALID_WORKSTATION and SAM.workstation-restrictions

Guenther Deschner gd at suse.de
Tue May 13 15:50:44 GMT 2003

hello andrew,

On Thu, May 01, 2003 at 11:55:55AM +1000, Andrew Bartlett wrote:
> > > You need to use the ntlm_auth helper on 3.0 to fix this issue.  The
> > > squid helper doesn't know how to supply this value to winbind.  However,
> > > the rest of Samba 3.0 has been fixed to always gets this right.
> > 
> > fine. when i manually invoke the ntlm_auth-helper (with a workstation-name
> > that is one of userworkstations) this works fine. i did not yet test
> > squid. how will the helper be invoked? do i just call it w/o arguments
> > like wb_ntlmauth and wb_auth as auth_param (basic|ntlm) program ? will the
> > helper then receive the clients netbios-name?
> I think I better document that a bit better!
> --helper-protocol=squid-2.5-ntlmssp should do the job.
> The client tells the server what it claims it's netbios name to be in
> the NTLMSSP exchange.  Nobody told you this was secure I hope! :-)

just a quick feedback:

we have squid-2.5-stable2 with ntlm_auth and 3_0 winbind (before the
idmap-commit) running now. ntlm_auth is configured as basic and as ntlm
helper. in all recent SuSE-distributions squid runs as user squid (not
chrooted) thus we realized access to the priviledged winbind-pipe with a
simple posix-acl (that survives winbind-restart).

thanks a *lot*,

Guenther Deschner                                         gd at suse.de
SuSE Linux AG                                        GnuPG: 8EE11688
Berliner Str. 27                      phone:  +49 (0) 30 / 430944778
D-13507 Berlin                           fax:  +49 (0) 30 / 43732804
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20030513/6bac971b/attachment.bin

More information about the samba mailing list