[Samba] winbind and computer accounts

[Simon Hartl]

Hello!

Ultra-Short Description: winbind fails to authenticate computer account

I'm planning to implement 802.1x for my network and have some troubles with the
windows integration.

environment:
- Users in Windows 2003 Active Directory
- Authentication Server: Debian GNU/Linux acting as AD Member Server (debian
testing, samba-3.0.10 release, freeradius 1.0.1 release)

The clients (mostly windows) should log-on transparently with the integrated
802.1x client using PEAP with EAP-MSCHAPv2. This works perfectly with the
ntlm_auth command provided with the samba distribution.

The problem is, that network authentication should performed before the users
logs on - windows calls this "authenticate as computer". The EAP Messages are
passed correctly to the freeradius server but ntlm_auth fails.

I tried to simulate this behaviour manually:
- extracted a samba machine password for a AD member (tdbdump secrets.tbd)
- try to login with the computer account and the password from step 1 produces
the following output (stripped out plaintext attemt):

debian:~# wbinfo -a debian$%yuNPtkinMrbU1w
..
challenge/response password authentication failed
error code was NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (0xc00001199)
error message was: No logon workstation trust account
..


If I try to authenticate as the same user/pwd with kerberos there is not problem
and the TGT is supplied.


Is it possible (now or in the future) to authenticate computer accounts with
winbind/ntlm_auth or is there another solution for my problem?

Regards,

Simon