Hi all, I have samba4.2 (Version 4.2.0pre1-GIT-6d2f56d) as AD domain controller. Some users can only logon to specific window workstation. Now, we want to configure the samba AD as the user authentication of squid. I use the following configuration in squid. The users without workstation limitation can successfully authenticate to squid, but the user with workstation limitation cannot. ############################ squid.conf Start ############################# auth_param ntlm program /usr/bin/ntlm_auth3 --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 30 auth_param ntlm keep_alive on auth_param basic program /usr/bin/ntlm_auth3 --helper-protocol=squid-2.5-basic auth_param basic children 5 auth_param basic realm Welcome to proxy! auth_param basic credentialsttl 2 hours ############################ squid.conf End ############################# So, I manually tried ntlm_auth3 command, and seems I can never login even enter the correct workstation name. [root at squid_server ~]# ntlm_auth3 --username=dummy --password=1234567Abc NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070) [root at squid_server ~]# ntlm_auth3 --username=dummy --password=1234567Abc --workstation=squid_server NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070) [root at gate01 ~]# wbinfo -a dummy%1234567Abc plaintext password authentication failed Could not authenticate user dummy%1234567Abc with plaintext password challenge/response password authentication failed error code was NT_STATUS_INVALID_WORKSTATION (0xc0000070) error message was: Invalid workstation Could not authenticate user dummy with challenge/response Now when I add Domain Controller's NetBIOS Name to the allowed workstation list for that user, I can authenticate successfully. [root at DC]# ntlm_auth --username=dummy --password=1234567Abc NT_STATUS_OK: Success (0x0) However, other samba3/samba4 member server cannot authenticate using NTLM. The result is just as above mentioned. One more question, I have seen the release note said server services should configured as winbindd instead of winbind in smb.conf. Is it correct for Samba AD domain controller setup ? I tried this configuration but samba seems never startup correctly. Thanks a million. Best, Kelvin Yip
Rowland Penny
2014-Nov-11 11:32 UTC
[Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question
On 11/11/14 09:59, Kelvin Yip wrote:> Hi all, > > > > I have samba4.2 (Version 4.2.0pre1-GIT-6d2f56d) as AD domain controller. > Some users can only logon to specific window workstation. Now, we want to > configure the samba AD as the user authentication of squid. I use the > following configuration in squid. The users without workstation limitation > can successfully authenticate to squid, but the user with workstation > limitation cannot. > > ############################ squid.conf Start ############################# > > auth_param ntlm program /usr/bin/ntlm_auth3 > --helper-protocol=squid-2.5-ntlmssp > > auth_param ntlm children 30 > > auth_param ntlm keep_alive on > > > > auth_param basic program /usr/bin/ntlm_auth3 > --helper-protocol=squid-2.5-basic > > auth_param basic children 5 > > auth_param basic realm Welcome to proxy! > > auth_param basic credentialsttl 2 hours > > ############################ squid.conf End ############################# > > > > So, I manually tried ntlm_auth3 command, and seems I can never login even > enter the correct workstation name. > > > > [root at squid_server ~]# ntlm_auth3 --username=dummy --password=1234567Abc > > NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070) > > > > [root at squid_server ~]# ntlm_auth3 --username=dummy --password=1234567Abc > --workstation=squid_server > > NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070) > > > > [root at gate01 ~]# wbinfo -a dummy%1234567Abc > > plaintext password authentication failed > > Could not authenticate user dummy%1234567Abc with plaintext password > > challenge/response password authentication failed > > error code was NT_STATUS_INVALID_WORKSTATION (0xc0000070) > > error message was: Invalid workstation > > Could not authenticate user dummy with challenge/response > > > > Now when I add Domain Controller's NetBIOS Name to the allowed workstation > list for that user, I can authenticate successfully. > > [root at DC]# ntlm_auth --username=dummy --password=1234567Abc > > NT_STATUS_OK: Success (0x0) > > > > However, other samba3/samba4 member server cannot authenticate using NTLM. > The result is just as above mentioned. > > > > One more question, I have seen the release note said server services should > configured as winbindd instead of winbind in smb.conf. Is it correct for > Samba AD domain controller setup ? I tried this configuration but samba > seems never startup correctly. > >I don't know about the squid problem, but when you provision 4.2x you should be using 'winbindd' automatically, you shouldn't have to alter anything. Rowland> > Thanks a million. > > Best, > > Kelvin Yip >
L.P.H. van Belle
2014-Nov-11 14:36 UTC
[Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question
Few questions.
1) Does the proxy server has and A and PTR record
2) Did you enable the windows authentication in the browser
3) did you add the domain in the local intranet sites.
4) you cannot use "transparent" with authenticaion. ( wel you keep
getting a popup )
and go read :
https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess-sso-with-samba4
yes no proxy, but all the pointers you need.
for the squid host you need the HOST and HTTP spn.
This is what i have on my proxy. ( not kerberos but ldap auth )
## squid-01-01-auth-AD.conf
## AUTHENTICATION TO ACTIVE DIRECTORY
#
auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \
-b "OU=domain,DC=internal,DC=domain,DC=tld" \
-D ldap-bind at internal.domain.tld -W /etc/squid3/private/ldap-bind \
-f (|(userPrincipalName=%s)(sAMAccountName=%s)) \
-h dc1.internal.domain.tld
auth_param basic children 50
auth_param basic realm domain Secured Internet Proxy
auth_param basic credentialsttl 3 hours
# Basic Ldap auth as fallback authentication
auth_param basic program /usr/lib/squid3/basic_ldap_auth -v 3 \
-b "dc=internal,dc=domain,dc=tld" \
-D cn=replicator,dc=internal,dc=domain,dc=tld -W
/etc/squid3/private/ldap-bind \
-f uid=%s ldap.internal.domain.tld
auth_param basic realm domain Internet Proxy.
auth_param basic children 50
auth_param basic credentialsttl 3 hours
acl authenticated proxy_auth REQUIRED
Kerberos is next to be tested, but same as you im waiting for samba 4.2
or if you run debian you can use samba 3.6 for the winbind auth. that the first
im going to test.
Above it running on debian wheezy with squid 3.3.8 ( backported from Debian
jessie )
Greetz,
Louis
>-----Oorspronkelijk bericht-----
>Van: rowlandpenny at googlemail.com
>[mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>Verzonden: dinsdag 11 november 2014 12:33
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question
>
>On 11/11/14 09:59, Kelvin Yip wrote:
>> Hi all,
>>
>>
>>
>> I have samba4.2 (Version 4.2.0pre1-GIT-6d2f56d) as AD domain
>controller.
>> Some users can only logon to specific window workstation.
>Now, we want to
>> configure the samba AD as the user authentication of squid. I use the
>> following configuration in squid. The users without
>workstation limitation
>> can successfully authenticate to squid, but the user with workstation
>> limitation cannot.
>>
>> ############################ squid.conf Start
>#############################
>>
>> auth_param ntlm program /usr/bin/ntlm_auth3
>> --helper-protocol=squid-2.5-ntlmssp
>>
>> auth_param ntlm children 30
>>
>> auth_param ntlm keep_alive on
>>
>>
>>
>> auth_param basic program /usr/bin/ntlm_auth3
>> --helper-protocol=squid-2.5-basic
>>
>> auth_param basic children 5
>>
>> auth_param basic realm Welcome to proxy!
>>
>> auth_param basic credentialsttl 2 hours
>>
>> ############################ squid.conf End
>#############################
>>
>>
>>
>> So, I manually tried ntlm_auth3 command, and seems I can
>never login even
>> enter the correct workstation name.
>>
>>
>>
>> [root at squid_server ~]# ntlm_auth3 --username=dummy
>--password=1234567Abc
>>
>> NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
>>
>>
>>
>> [root at squid_server ~]# ntlm_auth3 --username=dummy
>--password=1234567Abc
>> --workstation=squid_server
>>
>> NT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)
>>
>>
>>
>> [root at gate01 ~]# wbinfo -a dummy%1234567Abc
>>
>> plaintext password authentication failed
>>
>> Could not authenticate user dummy%1234567Abc with plaintext password
>>
>> challenge/response password authentication failed
>>
>> error code was NT_STATUS_INVALID_WORKSTATION (0xc0000070)
>>
>> error message was: Invalid workstation
>>
>> Could not authenticate user dummy with challenge/response
>>
>>
>>
>> Now when I add Domain Controller's NetBIOS Name to the
>allowed workstation
>> list for that user, I can authenticate successfully.
>>
>> [root at DC]# ntlm_auth --username=dummy --password=1234567Abc
>>
>> NT_STATUS_OK: Success (0x0)
>>
>>
>>
>> However, other samba3/samba4 member server cannot
>authenticate using NTLM.
>> The result is just as above mentioned.
>>
>>
>>
>> One more question, I have seen the release note said server
>services should
>> configured as winbindd instead of winbind in smb.conf. Is it
>correct for
>> Samba AD domain controller setup ? I tried this
>configuration but samba
>> seems never startup correctly.
>>
>>
>I don't know about the squid problem, but when you provision 4.2x you
>should be using 'winbindd' automatically, you shouldn't have to
alter
>anything.
>
>Rowland
>
>>
>> Thanks a million.
>>
>> Best,
>>
>> Kelvin Yip
>>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
Andrew Bartlett
2014-Nov-14 09:22 UTC
[Samba] ntlm_auth NT_STATUS_INVALID_WORKSTATION Question
On Tue, 2014-11-11 at 17:59 +0800, Kelvin Yip wrote:> Hi all, > > > > I have samba4.2 (Version 4.2.0pre1-GIT-6d2f56d) as AD domain controller. > Some users can only logon to specific window workstation. Now, we want to > configure the samba AD as the user authentication of squid. I use the > following configuration in squid. The users without workstation limitation > can successfully authenticate to squid, but the user with workstation > limitation cannot.> Now when I add Domain Controller's NetBIOS Name to the allowed workstation > list for that user, I can authenticate successfully. > > [root at DC]# ntlm_auth --username=dummy --password=1234567Abc > > NT_STATUS_OK: Success (0x0)Correct. For basic authentication the server running winbind for squid uses its own name in the SamLogon request. For NTLMSSP authentication, it will use the name specified in the NTLMSSP packet. The userWorkstations restriction really is pretty poorly thought out - it should only have applied to interactive logons - and is a hold-over from the days of NT4. These days we should be doing proper host-based access control with Kerberos tickets or other things, but sadly none of that is implemented in AD, and this is one of the sad consequences. (All the questions about DNS are missing the mark here, it is just as simple as us just using our own name). Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba