[Samba] Workstation Logon Restrictions (Log On To) with samba 4 AD

Trenta sis trenta.sis at gmail.com
Wed Nov 2 20:59:06 UTC 2016


Can I do any action to recover this feature or similar feature as It was
available to samba 3?


2016-11-01 19:27 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:

> hi andrew and james,
> my configurations is made from aduc tools as you described but doesn't
> work correctly
> about andrew message about this issue, I understand that is an issue and
> is not solved and any solutions is available... only workaround is disable
> log on restrictions in aduc, then works, but without security...
> additional information with samba 3 and nt domain was working perfect
> thanks
> 2016-11-01 6:57 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:
>> On Sun, 2016-10-30 at 20:20 +0100, Trenta sis via samba wrote:
>> > Hi,
>> >
>> > After a migration from samba 3 nt domain to samba 4 AD we have
>> > detected
>> > that Workstation Logon Restrictions (Log On To) is not working
>> > correctly,
>> > with samba 3 was working perfect, but after migration we have
>> > detected that
>> > some resources are not available, for example roaming profiles, home
>> > folders... we have tried to add as log on to workstations  samba
>> > machine
>> > (dc), machine that has roaming profiles, home folders.... but without
>> > success only works if we disable all restrictions to log on to, but
>> > then
>> > for our environment is a security problem
>> >
>> > How can I solve?
>> The implementation of the workstation logon restrictions has always
>> been a bit of a hack in Windows domains, and so to in Samba.  In NTLM,
>> it was enforced largely by the client-supplied and unverified
>> 'workstation' in the NTLM packet.  The protections in the NETLOGON
>> server are a bit stronger, but your issue is that the KDC is now
>> issuing the ticket, and perhaps that isn't checking the optional
>> 'workstation name' 'address' that is put in the krb5 request.
>> The correct way to enforce a login restriction would be to deny the
>> service ticket, but then we would have to tell which TGS-REQ packets
>> were for desktop logon, and which were for other services on other
>> hosts.
>> All in all, this is very hard to on the DC.  The workstation itself
>> would be better placed to enforce such a restriction as an ACL, but I
>> don't know of a way to do that.
>> Andrew Bartlett
>> --
>> Andrew Bartlett                       http://samba.org/~abartlet/
>> Authentication Developer, Samba Team  http://samba.org
>> Samba Developer, Catalyst IT          http://catalyst.net.nz/service
>> s/samba

More information about the samba mailing list