[Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question

Rowland Penny rowlandpenny at googlemail.com
Tue Nov 11 04:32:37 MST 2014 

On 11/11/14 09:59, Kelvin Yip wrote:
> Hi all,
>
>   
>
> I have samba4.2 (Version 4.2.0pre1-GIT-6d2f56d) as AD domain controller.
> Some users can only logon to specific window workstation. Now, we want to
> configure the samba AD as the user authentication of squid. I use the
> following configuration in squid. The users without workstation limitation
> can successfully authenticate to squid, but the user with workstation
> limitation cannot.
>
> ############################ squid.conf Start #############################
>
> auth_param ntlm program /usr/bin/ntlm_auth3
> --helper-protocol=squid-2.5-ntlmssp
>
> auth_param ntlm children 30
>
> auth_param ntlm keep_alive on
>
>   
>
> auth_param basic program /usr/bin/ntlm_auth3
> --helper-protocol=squid-2.5-basic
>
> auth_param basic children 5
>
> auth_param basic realm Welcome to proxy!
>
> auth_param basic credentialsttl 2 hours
>
> ############################ squid.conf End #############################
>
>   
>
> So, I manually tried ntlm_auth3 command, and seems I can never login even
> enter the correct workstation name.
>
>   
>
> [root at squid_server ~]# ntlm_auth3 --username=dummy --password=1234567Abc
>
> NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
>
>   
>
> [root at squid_server ~]# ntlm_auth3 --username=dummy --password=1234567Abc
> --workstation=squid_server
>
> NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
>
>   
>
> [root at gate01 ~]# wbinfo -a dummy%1234567Abc
>
> plaintext password authentication failed
>
> Could not authenticate user dummy%1234567Abc with plaintext password
>
> challenge/response password authentication failed
>
> error code was NT_STATUS_INVALID_WORKSTATION (0xc0000070)
>
> error message was: Invalid workstation
>
> Could not authenticate user dummy with challenge/response
>
>   
>
> Now when I add Domain Controller's NetBIOS Name to the allowed workstation
> list for that user, I can authenticate successfully.
>
> [root at DC]# ntlm_auth --username=dummy --password=1234567Abc
>
> NT_STATUS_OK: Success (0x0)
>
>   
>
> However, other samba3/samba4 member server cannot authenticate using NTLM.
> The result is just as above mentioned.
>
>   
>
> One more question, I have seen the release note said server services should
> configured as winbindd instead of winbind in smb.conf. Is it correct for
> Samba AD domain controller setup ? I tried this configuration but samba
> seems never startup correctly.
>
>   
I don't know about the squid problem, but when you provision 4.2x you 
should be using 'winbindd' automatically, you shouldn't have to alter 
anything.

Rowland

>
> Thanks a million.
>
> Best,
>
> Kelvin Yip
>

More information about the samba mailing list