[Samba] winbind and computer accounts

Simon Hartl simon.hartl at students.jku.at
Thu Apr 28 11:00:47 GMT 2005


Ultra-Short Description: winbind fails to authenticate computer account

I'm planning to implement 802.1x for my network and have some troubles with the
windows integration.

- Users in Windows 2003 Active Directory
- Authentication Server: Debian GNU/Linux acting as AD Member Server (debian
testing, samba-3.0.10 release, freeradius 1.0.1 release)

The clients (mostly windows) should log-on transparently with the integrated
802.1x client using PEAP with EAP-MSCHAPv2. This works perfectly with the
ntlm_auth command provided with the samba distribution.

The problem is, that network authentication should performed before the users
logs on - windows calls this "authenticate as computer". The EAP Messages are
passed correctly to the freeradius server but ntlm_auth fails.

I tried to simulate this behaviour manually:
- extracted a samba machine password for a AD member (tdbdump secrets.tbd)
- try to login with the computer account and the password from step 1 produces
the following output (stripped out plaintext attemt):

debian:~# wbinfo -a debian$%yuNPtkinMrbU1w
challenge/response password authentication failed
error message was: No logon workstation trust account

If I try to authenticate as the same user/pwd with kerberos there is not problem
and the TGT is supplied.

Is it possible (now or in the future) to authenticate computer accounts with
winbind/ntlm_auth or is there another solution for my problem?



More information about the samba mailing list