[Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question

Wed Nov 12 04:11:05 MST 2014

On 12/11/14 09:15, Kelvin Yip wrote:
> Louis,
>
> Thanks for your suggestion. Now I have problem to create PTR record and I am
> trouble shooting it.
> Is there any log/command/method I can see what "workstation" field was
> passed to AD when using ntlm_auth command ?
> Thanks.
>
> Best,
> Kelvin Yip
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of L.P.H. van Belle
> Sent: Tuesday, November 11, 2014 10:37 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question
>
> Few questions.
>
> 1) Does the proxy server has and A and PTR record
> 2) Did you enable the windows authentication in the browser
> 3) did you add the domain in the local intranet sites.
> 4) you cannot use "transparent" with authenticaion. ( wel you keep getting a
> popup )
>
> and go read :
> https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess
> -sso-with-samba4
> yes no proxy, but all the pointers you need.
> for the squid host you need the HOST and HTTP spn.
>
>
> This is what i have on my proxy. ( not kerberos but ldap auth )
>
> ##  squid-01-01-auth-AD.conf
> ## AUTHENTICATION TO ACTIVE DIRECTORY
> #
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
>          -b "OU=domain,DC=internal,DC=domain,DC=tld" \
>          -D ldap-bind at internal.domain.tld -W /etc/squid3/private/ldap-bind \
>          -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
>          -h dc1.internal.domain.tld
> auth_param basic children 50
> auth_param basic realm domain Secured Internet Proxy
> auth_param basic credentialsttl 3 hours
>
> # Basic Ldap auth as fallback authentication
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -v 3 \
>           -b "dc=internal,dc=domain,dc=tld" \
>           -D cn=replicator,dc=internal,dc=domain,dc=tld  -W
> /etc/squid3/private/ldap-bind \
>           -f uid=%s ldap.internal.domain.tld
> auth_param basic realm domain Internet Proxy.
> auth_param basic children 50
> auth_param basic credentialsttl 3 hours
>
> acl authenticated proxy_auth REQUIRED
>
>
> Kerberos is next to be tested, but same as you im waiting for samba 4.2
> or if you run debian you can use samba 3.6 for the winbind auth. that the
> first im going to test.
>
> Above it running on debian wheezy with squid 3.3.8 ( backported from Debian
> jessie )
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: dinsdag 11 november 2014 12:33
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question
>>
>> On 11/11/14 09:59, Kelvin Yip wrote:
>>> Hi all,
>>>
>>>    
>>>
>>> I have samba4.2 (Version 4.2.0pre1-GIT-6d2f56d) as AD domain
>> controller.
>>> Some users can only logon to specific window workstation.
>> Now, we want to
>>> configure the samba AD as the user authentication of squid. I use the
>>> following configuration in squid. The users without
>> workstation limitation
>>> can successfully authenticate to squid, but the user with workstation
>>> limitation cannot.
>>>
>>> ############################ squid.conf Start
>> #############################
>>> auth_param ntlm program /usr/bin/ntlm_auth3
>>> --helper-protocol=squid-2.5-ntlmssp
>>>
>>> auth_param ntlm children 30
>>>
>>> auth_param ntlm keep_alive on
>>>
>>>    
>>>
>>> auth_param basic program /usr/bin/ntlm_auth3
>>> --helper-protocol=squid-2.5-basic
>>>
>>> auth_param basic children 5
>>>
>>> auth_param basic realm Welcome to proxy!
>>>
>>> auth_param basic credentialsttl 2 hours
>>>
>>> ############################ squid.conf End
>> #############################
>>>    
>>>
>>> So, I manually tried ntlm_auth3 command, and seems I can
>> never login even
>>> enter the correct workstation name.
>>>
>>>    
>>>
>>> [root at squid_server ~]# ntlm_auth3 --username=dummy
>> --password=1234567Abc
>>> NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
>>>
>>>    
>>>
>>> [root at squid_server ~]# ntlm_auth3 --username=dummy
>> --password=1234567Abc
>>> --workstation=squid_server
>>>
>>> NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
>>>
>>>    
>>>
>>> [root at gate01 ~]# wbinfo -a dummy%1234567Abc
>>>
>>> plaintext password authentication failed
>>>
>>> Could not authenticate user dummy%1234567Abc with plaintext password
>>>
>>> challenge/response password authentication failed
>>>
>>> error code was NT_STATUS_INVALID_WORKSTATION (0xc0000070)
>>>
>>> error message was: Invalid workstation
>>>
>>> Could not authenticate user dummy with challenge/response
>>>
>>>    
>>>
>>> Now when I add Domain Controller's NetBIOS Name to the
>> allowed workstation
>>> list for that user, I can authenticate successfully.
>>>
>>> [root at DC]# ntlm_auth --username=dummy --password=1234567Abc
>>>
>>> NT_STATUS_OK: Success (0x0)
>>>
>>>    
>>>
>>> However, other samba3/samba4 member server cannot
>> authenticate using NTLM.
>>> The result is just as above mentioned.
>>>
>>>    
>>>
>>> One more question, I have seen the release note said server
>> services should
>>> configured as winbindd instead of winbind in smb.conf. Is it
>> correct for
>>> Samba AD domain controller setup ? I tried this
>> configuration but samba
>>> seems never startup correctly.
>>>
>>>    
>> I don't know about the squid problem, but when you provision 4.2x you
>> should be using 'winbindd' automatically, you shouldn't have to alter
>> anything.
>>
>> Rowland
>>
>>> Thanks a million.
>>>
>>> Best,
>>>
>>> Kelvin Yip
>>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
Have you created the reverse zone, it is not created automatically, also 
I am fairly sure that windows clients will not try and create PTR's 
without further configuration on the clients, try googling.

Rowland