Prateek Kumar
2012-Oct-30 10:57 UTC
[Samba] ntlm_auth allowing users which are denied access
Hi,
I am using samba 3.2.2 with freeradius . I have joined the domain &
able to authenticate users with ntlm_auth.
If in ADS-2003 I configure the Remote Access Permission for the user (
User-properties->Dial-in ) as Deny then if I use the "ntlm_auth
--username=user --password=password" I get NT_STATUS_OK. What could be the
reason for this behavior , or is there any patch for this?
Also if I use windows server's radius server than I am not able to connect
my user be NT_STATUS_OKcause access is denied for that user.
Thanks & Regards,
Prateek
Andrew Bartlett
2012-Oct-30 11:41 UTC
[Samba] ntlm_auth allowing users which are denied access
On Tue, 2012-10-30 at 16:27 +0530, Prateek Kumar wrote:> Hi, > I am using samba 3.2.2 with freeradius . I have joined the domain & > able to authenticate users with ntlm_auth. > > If in ADS-2003 I configure the Remote Access Permission for the user ( > User-properties->Dial-in ) as Deny then if I use the "ntlm_auth > --username=user --password=password" I get NT_STATUS_OK. What could be the > reason for this behavior , or is there any patch for this? > > Also if I use windows server's radius server than I am not able to connect > my user be NT_STATUS_OKcause access is denied for that user.There is nothing that ntlm_auth does to indicate to the DC that this is for a remote access server, compared with say, Squid or a CIFS login. That's why it doesn't fail. Perhaps the --require-membership-of option might help, but I don't know what that particular GUI option sets. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org