Hello!
Ultra-Short Description: winbind fails to authenticate computer account
I'm planning to implement 802.1x for my network and have some troubles with
the
windows integration.
environment:
- Users in Windows 2003 Active Directory
- Authentication Server: Debian GNU/Linux acting as AD Member Server (debian
testing, samba-3.0.10 release, freeradius 1.0.1 release)
The clients (mostly windows) should log-on transparently with the integrated
802.1x client using PEAP with EAP-MSCHAPv2. This works perfectly with the
ntlm_auth command provided with the samba distribution.
The problem is, that network authentication should performed before the users
logs on - windows calls this "authenticate as computer". The EAP
Messages are
passed correctly to the freeradius server but ntlm_auth fails.
I tried to simulate this behaviour manually:
- extracted a samba machine password for a AD member (tdbdump secrets.tbd)
- try to login with the computer account and the password from step 1 produces
the following output (stripped out plaintext attemt):
debian:~# wbinfo -a debian$%yuNPtkinMrbU1w
..
challenge/response password authentication failed
error code was NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT (0xc00001199)
error message was: No logon workstation trust account
..
If I try to authenticate as the same user/pwd with kerberos there is not problem
and the TGT is supplied.
Is it possible (now or in the future) to authenticate computer accounts with
winbind/ntlm_auth or is there another solution for my problem?
Regards,
Simon
