[Samba] NT_STATUS_INVALID_WORKSTATION and SAM.workstation-restrictions

Andrew Bartlett abartlet at samba.org
Tue May 13 23:27:07 GMT 2003

On Wed, 2003-05-14 at 01:50, Guenther Deschner wrote:
> hello andrew,
> On Thu, May 01, 2003 at 11:55:55AM +1000, Andrew Bartlett wrote:
> > > > You need to use the ntlm_auth helper on 3.0 to fix this issue.  The
> > > > squid helper doesn't know how to supply this value to winbind.  However,
> > > > the rest of Samba 3.0 has been fixed to always gets this right.
> > > 
> > > fine. when i manually invoke the ntlm_auth-helper (with a workstation-name
> > > that is one of userworkstations) this works fine. i did not yet test
> > > squid. how will the helper be invoked? do i just call it w/o arguments
> > > like wb_ntlmauth and wb_auth as auth_param (basic|ntlm) program ? will the
> > > helper then receive the clients netbios-name?
> > 
> > I think I better document that a bit better!
> > 
> > --helper-protocol=squid-2.5-ntlmssp should do the job.
> > 
> > The client tells the server what it claims it's netbios name to be in
> > the NTLMSSP exchange.  Nobody told you this was secure I hope! :-)
> just a quick feedback:
> we have squid-2.5-stable2 with ntlm_auth and 3_0 winbind (before the
> idmap-commit) running now. ntlm_auth is configured as basic and as ntlm
> helper. in all recent SuSE-distributions squid runs as user squid (not
> chrooted) thus we realized access to the priviledged winbind-pipe with a
> simple posix-acl (that survives winbind-restart).
> thanks a *lot*,

I'm glad to see people getting value from it.  When you package Samba
3.0, you should look into including that ACL by default.

I've been working with the Squid team, and it is hoped that the next
release of Squid should include full negotiation support, which should
allow the better use of unicode, and better support for NTLMv2.

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20030514/a1df4145/attachment.bin

More information about the samba mailing list