[Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question

Andrew Bartlett abartlet at samba.org
Fri Nov 14 02:22:27 MST 2014

On Tue, 2014-11-11 at 17:59 +0800, Kelvin Yip wrote:
> Hi all,
> I have samba4.2 (Version 4.2.0pre1-GIT-6d2f56d) as AD domain controller.
> Some users can only logon to specific window workstation. Now, we want to
> configure the samba AD as the user authentication of squid. I use the
> following configuration in squid. The users without workstation limitation
> can successfully authenticate to squid, but the user with workstation
> limitation cannot.

> Now when I add Domain Controller's NetBIOS Name to the allowed workstation
> list for that user, I can authenticate successfully. 
> [root at DC]# ntlm_auth --username=dummy --password=1234567Abc
> NT_STATUS_OK: Success (0x0)

Correct.  For basic authentication the server running winbind for squid
uses its own name in the SamLogon request.  For NTLMSSP authentication,
it will use the name specified in the NTLMSSP packet. 

The userWorkstations restriction really is pretty poorly thought out -
it should only have applied to interactive logons - and is a hold-over
from the days of NT4.  These days we should be doing proper host-based
access control with Kerberos tickets or other things, but sadly none of
that is implemented in AD, and this is one of the sad consequences. 

(All the questions about DNS are missing the mark here, it is just as
simple as us just using our own name). 


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list