[Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question

Kelvin Yip kelvin at icshk.com
Wed Nov 12 18:28:50 MST 2014 

Hi,

I am able to delete and create PTR zone using samba-tool. However, I cannot
add any record as following:

[root at linux01 Samba-Migrate]# /usr/local/samba/bin/samba-tool dns zonedelete
linux01 188.168.192.in-addr.arpa -U administrator
Password for [ICS\administrator]:
Zone 188.168.192.in-addr.arpa delete successfully
[root at linux01 Samba-Migrate]# /usr/local/samba/bin/samba-tool dns zonecreate
linux01 188.168.192.in-addr.arpa -U administrator
Password for [ICS\administrator]:
Zone 188.168.192.in-addr.arpa created successfully
[root at linux01 Samba-Migrate]# samba-tool dns add linux01 icshk.local demo A
192.168.188.125
ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/dns.py",
line 1070, in run
    0, server, zone, name, add_rec_buf, None)
[root at linux01 Samba-Migrate]# samba-tool dns add linux01
188.168.192.in-addr.arpa 55 PTR demo.icshk.local
ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
  File
"/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/dns.py",
line 1070, in run
    0, server, zone, name, add_rec_buf, None)

Best,
Kelvin Yip

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Rowland Penny
Sent: Wednesday, November 12, 2014 7:11 PM
To: samba at lists.samba.org
Subject: Re: [Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question

On 12/11/14 09:15, Kelvin Yip wrote:
> Louis,
>
> Thanks for your suggestion. Now I have problem to create PTR record 
> and I am trouble shooting it.
> Is there any log/command/method I can see what "workstation" field was 
> passed to AD when using ntlm_auth command ?
> Thanks.
>
> Best,
> Kelvin Yip
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org 
> [mailto:samba-bounces at lists.samba.org]
> On Behalf Of L.P.H. van Belle
> Sent: Tuesday, November 11, 2014 10:37 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question
>
> Few questions.
>
> 1) Does the proxy server has and A and PTR record
> 2) Did you enable the windows authentication in the browser
> 3) did you add the domain in the local intranet sites.
> 4) you cannot use "transparent" with authenticaion. ( wel you keep 
> getting a popup )
>
> and go read :
> https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-web
> access
> -sso-with-samba4
> yes no proxy, but all the pointers you need.
> for the squid host you need the HOST and HTTP spn.
>
>
> This is what i have on my proxy. ( not kerberos but ldap auth )
>
> ##  squid-01-01-auth-AD.conf
> ## AUTHENTICATION TO ACTIVE DIRECTORY
> #
> auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
>          -b "OU=domain,DC=internal,DC=domain,DC=tld" \
>          -D ldap-bind at internal.domain.tld -W /etc/squid3/private/ldap-bind
\
>          -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
>          -h dc1.internal.domain.tld
> auth_param basic children 50
> auth_param basic realm domain Secured Internet Proxy auth_param basic 
> credentialsttl 3 hours
>
> # Basic Ldap auth as fallback authentication auth_param basic program 
> /usr/lib/squid3/basic_ldap_auth -v 3 \
>           -b "dc=internal,dc=domain,dc=tld" \
>           -D cn=replicator,dc=internal,dc=domain,dc=tld  -W 
> /etc/squid3/private/ldap-bind \
>           -f uid=%s ldap.internal.domain.tld auth_param basic realm 
> domain Internet Proxy.
> auth_param basic children 50
> auth_param basic credentialsttl 3 hours
>
> acl authenticated proxy_auth REQUIRED
>
>
> Kerberos is next to be tested, but same as you im waiting for samba 
> 4.2 or if you run debian you can use samba 3.6 for the winbind auth. 
> that the first im going to test.
>
> Above it running on debian wheezy with squid 3.3.8 ( backported from 
> Debian jessie )
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: rowlandpenny at googlemail.com
>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: dinsdag 11 november 2014 12:33
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION 
>> Question
>>
>> On 11/11/14 09:59, Kelvin Yip wrote:
>>> Hi all,
>>>
>>>    
>>>
>>> I have samba4.2 (Version 4.2.0pre1-GIT-6d2f56d) as AD domain
>> controller.
>>> Some users can only logon to specific window workstation.
>> Now, we want to
>>> configure the samba AD as the user authentication of squid. I use 
>>> the following configuration in squid. The users without
>> workstation limitation
>>> can successfully authenticate to squid, but the user with 
>>> workstation limitation cannot.
>>>
>>> ############################ squid.conf Start
>> #############################
>>> auth_param ntlm program /usr/bin/ntlm_auth3 
>>> --helper-protocol=squid-2.5-ntlmssp
>>>
>>> auth_param ntlm children 30
>>>
>>> auth_param ntlm keep_alive on
>>>
>>>    
>>>
>>> auth_param basic program /usr/bin/ntlm_auth3 
>>> --helper-protocol=squid-2.5-basic
>>>
>>> auth_param basic children 5
>>>
>>> auth_param basic realm Welcome to proxy!
>>>
>>> auth_param basic credentialsttl 2 hours
>>>
>>> ############################ squid.conf End
>> #############################
>>>    
>>>
>>> So, I manually tried ntlm_auth3 command, and seems I can
>> never login even
>>> enter the correct workstation name.
>>>
>>>    
>>>
>>> [root at squid_server ~]# ntlm_auth3 --username=dummy
>> --password=1234567Abc
>>> NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
>>>
>>>    
>>>
>>> [root at squid_server ~]# ntlm_auth3 --username=dummy
>> --password=1234567Abc
>>> --workstation=squid_server
>>>
>>> NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
>>>
>>>    
>>>
>>> [root at gate01 ~]# wbinfo -a dummy%1234567Abc
>>>
>>> plaintext password authentication failed
>>>
>>> Could not authenticate user dummy%1234567Abc with plaintext password
>>>
>>> challenge/response password authentication failed
>>>
>>> error code was NT_STATUS_INVALID_WORKSTATION (0xc0000070)
>>>
>>> error message was: Invalid workstation
>>>
>>> Could not authenticate user dummy with challenge/response
>>>
>>>    
>>>
>>> Now when I add Domain Controller's NetBIOS Name to the
>> allowed workstation
>>> list for that user, I can authenticate successfully.
>>>
>>> [root at DC]# ntlm_auth --username=dummy --password=1234567Abc
>>>
>>> NT_STATUS_OK: Success (0x0)
>>>
>>>    
>>>
>>> However, other samba3/samba4 member server cannot
>> authenticate using NTLM.
>>> The result is just as above mentioned.
>>>
>>>    
>>>
>>> One more question, I have seen the release note said server
>> services should
>>> configured as winbindd instead of winbind in smb.conf. Is it
>> correct for
>>> Samba AD domain controller setup ? I tried this
>> configuration but samba
>>> seems never startup correctly.
>>>
>>>    
>> I don't know about the squid problem, but when you provision 4.2x you 
>> should be using 'winbindd' automatically, you shouldn't have to alter 
>> anything.
>>
>> Rowland
>>
>>> Thanks a million.
>>>
>>> Best,
>>>
>>> Kelvin Yip
>>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
Have you created the reverse zone, it is not created automatically, also I
am fairly sure that windows clients will not try and create PTR's without
further configuration on the clients, try googling.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list