[Samba] ntlm_auth allowing users which are denied access

Andrew Bartlett abartlet at samba.org
Tue Oct 30 05:41:50 MDT 2012

On Tue, 2012-10-30 at 16:27 +0530, Prateek Kumar wrote:
> Hi,
>        I am using samba 3.2.2 with freeradius . I have joined the domain &
> able to authenticate users with ntlm_auth.
> If in ADS-2003 I configure the Remote Access Permission for the user (
> User-properties->Dial-in ) as Deny then if I use the "ntlm_auth
> --username=user --password=password" I get NT_STATUS_OK. What could be the
> reason for this behavior , or is there any patch for this?
> Also if I use windows server's radius server than I am not able to connect
> my user be NT_STATUS_OKcause access is denied for that user.

There is nothing that ntlm_auth does to indicate to the DC that this is
for a remote access server, compared with say, Squid or a CIFS login.
That's why it doesn't fail.

Perhaps the --require-membership-of option might help, but I don't know
what that particular GUI option sets.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list