[Samba] Workstation Logon Restrictions (Log On To) with samba 4 AD
Andrew Bartlett
abartlet at samba.org
Wed Nov 2 22:02:55 UTC 2016
On Wed, 2016-11-02 at 21:59 +0100, Trenta sis wrote:
> hi,
>
>
> Can I do any action to recover this feature or similar feature as It
> was available to samba 3?
At this stage it needs some development, to add comprehensive tests and
the feature re-added to the KDC, assuming that is practical in the
current architecture.
You are welcome to file a bug, but I sense this one will need a
reasonable chunk of work to ensure not just it is fixed, but stays
fixed.
Andrew Bartlett
> thanks
>
> 2016-11-01 19:27 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:
> > hi andrew and james,
> >
> > my configurations is made from aduc tools as you described but
> > doesn't work correctly
> > about andrew message about this issue, I understand that is an
> > issue and is not solved and any solutions is available... only
> > workaround is disable log on restrictions in aduc, then works, but
> > without security...
> > additional information with samba 3 and nt domain was working
> > perfect
> >
> > thanks
> >
> >
> >
> >
> > 2016-11-01 6:57 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:
> > > On Sun, 2016-10-30 at 20:20 +0100, Trenta sis via samba wrote:
> > > > Hi,
> > > >
> > > > After a migration from samba 3 nt domain to samba 4 AD we have
> > > > detected
> > > > that Workstation Logon Restrictions (Log On To) is not working
> > > > correctly,
> > > > with samba 3 was working perfect, but after migration we have
> > > > detected that
> > > > some resources are not available, for example roaming profiles,
> > > home
> > > > folders... we have tried to add as log on to
> > > workstations samba
> > > > machine
> > > > (dc), machine that has roaming profiles, home folders.... but
> > > without
> > > > success only works if we disable all restrictions to log on to,
> > > but
> > > > then
> > > > for our environment is a security problem
> > > >
> > > > How can I solve?
> > >
> > > The implementation of the workstation logon restrictions has
> > > always
> > > been a bit of a hack in Windows domains, and so to in Samba. In
> > > NTLM,
> > > it was enforced largely by the client-supplied and unverified
> > > 'workstation' in the NTLM packet. The protections in the
> > > NETLOGON
> > > server are a bit stronger, but your issue is that the KDC is now
> > > issuing the ticket, and perhaps that isn't checking the optional
> > > 'workstation name' 'address' that is put in the krb5 request.
> > >
> > > The correct way to enforce a login restriction would be to deny
> > > the
> > > service ticket, but then we would have to tell which TGS-REQ
> > > packets
> > > were for desktop logon, and which were for other services on
> > > other
> > > hosts.
> > >
> > > All in all, this is very hard to on the DC. The workstation
> > > itself
> > > would be better placed to enforce such a restriction as an ACL,
> > > but I
> > > don't know of a way to do that.
> > >
> > > Andrew Bartlett
> > >
> > > --
> > > Andrew Bartlett http://samba.org/~abartlet/
> > > Authentication Developer, Samba Team http://samba.org
> > > Samba Developer, Catalyst IT http://catalyst.net.nz/serv
> > > ices/samba
> > >
> > >
> >
> >
>
>
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba
mailing list