[Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question

Kelvin Yip kelvin at icshk.com
Tue Nov 11 02:59:13 MST 2014 

Hi all,

 

I have samba4.2 (Version 4.2.0pre1-GIT-6d2f56d) as AD domain controller.
Some users can only logon to specific window workstation. Now, we want to
configure the samba AD as the user authentication of squid. I use the
following configuration in squid. The users without workstation limitation
can successfully authenticate to squid, but the user with workstation
limitation cannot.

############################ squid.conf Start #############################

auth_param ntlm program /usr/bin/ntlm_auth3
--helper-protocol=squid-2.5-ntlmssp

auth_param ntlm children 30

auth_param ntlm keep_alive on

 

auth_param basic program /usr/bin/ntlm_auth3
--helper-protocol=squid-2.5-basic

auth_param basic children 5

auth_param basic realm Welcome to proxy!

auth_param basic credentialsttl 2 hours

############################ squid.conf End #############################

 

So, I manually tried ntlm_auth3 command, and seems I can never login even
enter the correct workstation name.

 

[root at squid_server ~]# ntlm_auth3 --username=dummy --password=1234567Abc

NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)

 

[root at squid_server ~]# ntlm_auth3 --username=dummy --password=1234567Abc
--workstation=squid_server

NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)

 

[root at gate01 ~]# wbinfo -a dummy%1234567Abc

plaintext password authentication failed

Could not authenticate user dummy%1234567Abc with plaintext password

challenge/response password authentication failed

error code was NT_STATUS_INVALID_WORKSTATION (0xc0000070)

error message was: Invalid workstation

Could not authenticate user dummy with challenge/response

 

Now when I add Domain Controller's NetBIOS Name to the allowed workstation
list for that user, I can authenticate successfully. 

[root at DC]# ntlm_auth --username=dummy --password=1234567Abc

NT_STATUS_OK: Success (0x0)

 

However, other samba3/samba4 member server cannot authenticate using NTLM.
The result is just as above mentioned.

 

One more question, I have seen the release note said server services should
configured as winbindd instead of winbind in smb.conf. Is it correct for
Samba AD domain controller setup ? I tried this configuration but samba
seems never startup correctly. 

 

Thanks a million.

Best,

Kelvin Yip

More information about the samba mailing list