[Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question

Kelvin Yip kelvin at icshk.com
Wed Nov 12 02:15:16 MST 2014


Louis, 

Thanks for your suggestion. Now I have problem to create PTR record and I am
trouble shooting it.
Is there any log/command/method I can see what "workstation" field was
passed to AD when using ntlm_auth command ?
Thanks.

Best,
Kelvin Yip

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of L.P.H. van Belle
Sent: Tuesday, November 11, 2014 10:37 PM
To: samba at lists.samba.org
Subject: Re: [Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question

Few questions. 

1) Does the proxy server has and A and PTR record 
2) Did you enable the windows authentication in the browser
3) did you add the domain in the local intranet sites. 
4) you cannot use "transparent" with authenticaion. ( wel you keep getting a
popup ) 

and go read : 
https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess
-sso-with-samba4 
yes no proxy, but all the pointers you need. 
for the squid host you need the HOST and HTTP spn. 


This is what i have on my proxy. ( not kerberos but ldap auth ) 

##  squid-01-01-auth-AD.conf  
## AUTHENTICATION TO ACTIVE DIRECTORY
#
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
        -b "OU=domain,DC=internal,DC=domain,DC=tld" \
        -D ldap-bind at internal.domain.tld -W /etc/squid3/private/ldap-bind \
        -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
        -h dc1.internal.domain.tld
auth_param basic children 50
auth_param basic realm domain Secured Internet Proxy
auth_param basic credentialsttl 3 hours

# Basic Ldap auth as fallback authentication
auth_param basic program /usr/lib/squid3/basic_ldap_auth -v 3 \
         -b "dc=internal,dc=domain,dc=tld" \
         -D cn=replicator,dc=internal,dc=domain,dc=tld  -W
/etc/squid3/private/ldap-bind \
         -f uid=%s ldap.internal.domain.tld
auth_param basic realm domain Internet Proxy. 
auth_param basic children 50
auth_param basic credentialsttl 3 hours

acl authenticated proxy_auth REQUIRED


Kerberos is next to be tested, but same as you im waiting for samba 4.2 
or if you run debian you can use samba 3.6 for the winbind auth. that the
first im going to test.

Above it running on debian wheezy with squid 3.3.8 ( backported from Debian
jessie ) 

Greetz, 

Louis



>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com 
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: dinsdag 11 november 2014 12:33
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question
>
>On 11/11/14 09:59, Kelvin Yip wrote:
>> Hi all,
>>
>>   
>>
>> I have samba4.2 (Version 4.2.0pre1-GIT-6d2f56d) as AD domain 
>controller.
>> Some users can only logon to specific window workstation. 
>Now, we want to
>> configure the samba AD as the user authentication of squid. I use the
>> following configuration in squid. The users without 
>workstation limitation
>> can successfully authenticate to squid, but the user with workstation
>> limitation cannot.
>>
>> ############################ squid.conf Start 
>#############################
>>
>> auth_param ntlm program /usr/bin/ntlm_auth3
>> --helper-protocol=squid-2.5-ntlmssp
>>
>> auth_param ntlm children 30
>>
>> auth_param ntlm keep_alive on
>>
>>   
>>
>> auth_param basic program /usr/bin/ntlm_auth3
>> --helper-protocol=squid-2.5-basic
>>
>> auth_param basic children 5
>>
>> auth_param basic realm Welcome to proxy!
>>
>> auth_param basic credentialsttl 2 hours
>>
>> ############################ squid.conf End 
>#############################
>>
>>   
>>
>> So, I manually tried ntlm_auth3 command, and seems I can 
>never login even
>> enter the correct workstation name.
>>
>>   
>>
>> [root at squid_server ~]# ntlm_auth3 --username=dummy 
>--password=1234567Abc
>>
>> NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
>>
>>   
>>
>> [root at squid_server ~]# ntlm_auth3 --username=dummy 
>--password=1234567Abc
>> --workstation=squid_server
>>
>> NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
>>
>>   
>>
>> [root at gate01 ~]# wbinfo -a dummy%1234567Abc
>>
>> plaintext password authentication failed
>>
>> Could not authenticate user dummy%1234567Abc with plaintext password
>>
>> challenge/response password authentication failed
>>
>> error code was NT_STATUS_INVALID_WORKSTATION (0xc0000070)
>>
>> error message was: Invalid workstation
>>
>> Could not authenticate user dummy with challenge/response
>>
>>   
>>
>> Now when I add Domain Controller's NetBIOS Name to the 
>allowed workstation
>> list for that user, I can authenticate successfully.
>>
>> [root at DC]# ntlm_auth --username=dummy --password=1234567Abc
>>
>> NT_STATUS_OK: Success (0x0)
>>
>>   
>>
>> However, other samba3/samba4 member server cannot 
>authenticate using NTLM.
>> The result is just as above mentioned.
>>
>>   
>>
>> One more question, I have seen the release note said server 
>services should
>> configured as winbindd instead of winbind in smb.conf. Is it 
>correct for
>> Samba AD domain controller setup ? I tried this 
>configuration but samba
>> seems never startup correctly.
>>
>>   
>I don't know about the squid problem, but when you provision 4.2x you 
>should be using 'winbindd' automatically, you shouldn't have to alter 
>anything.
>
>Rowland
>
>>
>> Thanks a million.
>>
>> Best,
>>
>> Kelvin Yip
>>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list