samba - Oct 2016 - Workstation Logon Restrictions (Log On To) with samba 4 AD

Hi,

After a migration from samba 3 nt domain to samba 4 AD we have detected
that Workstation Logon Restrictions (Log On To) is not working correctly,
with samba 3 was working perfect, but after migration we have detected that
some resources are not available, for example roaming profiles, home
folders... we have tried to add as log on to workstations  samba machine
(dc), machine that has roaming profiles, home folders.... but without
success only works if we disable all restrictions to log on to, but then
for our environment is a security problem

How can I solve?

thanks

On Sun, 2016-10-30 at 20:20 +0100, Trenta sis via samba
wrote:
> Hi,
> 
> After a migration from samba 3 nt domain to samba 4 AD we have
> detected
> that Workstation Logon Restrictions (Log On To) is not working
> correctly,
> with samba 3 was working perfect, but after migration we have
> detected that
> some resources are not available, for example roaming profiles, home
> folders... we have tried to add as log on to workstations  samba
> machine
> (dc), machine that has roaming profiles, home folders.... but without
> success only works if we disable all restrictions to log on to, but
> then
> for our environment is a security problem
> 
> How can I solve?
The implementation of the workstation logon restrictions has always
been a bit of a hack in Windows domains, and so to in Samba.  In NTLM,
it was enforced largely by the client-supplied and unverified
'workstation' in the NTLM packet.  The protections in the NETLOGON
server are a bit stronger, but your issue is that the KDC is now
issuing the ticket, and perhaps that isn't checking the optional
'workstation name' 'address' that is put in the krb5 request.

The correct way to enforce a login restriction would be to deny the
service ticket, but then we would have to tell which TGS-REQ packets
were for desktop logon, and which were for other services on other
hosts.

All in all, this is very hard to on the DC.  The workstation itself
would be better placed to enforce such a restriction as an ACL, but I
don't know of a way to do that.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 11/1/2016 1:57 AM, Andrew Bartlett via samba wrote:
> On Sun, 2016-10-30 at 20:20 +0100, Trenta sis via samba wrote:
>> Hi,
>>
>> After a migration from samba 3 nt domain to samba 4 AD we have
>> detected
>> that Workstation Logon Restrictions (Log On To) is not working
>> correctly,
>> with samba 3 was working perfect, but after migration we have
>> detected that
>> some resources are not available, for example roaming profiles, home
>> folders... we have tried to add as log on to workstations  samba
>> machine
>> (dc), machine that has roaming profiles, home folders.... but without
>> success only works if we disable all restrictions to log on to, but
>> then
>> for our environment is a security problem
>>
>> How can I solve?
> The implementation of the workstation logon restrictions has always
> been a bit of a hack in Windows domains, and so to in Samba.  In NTLM,
> it was enforced largely by the client-supplied and unverified
> 'workstation' in the NTLM packet.  The protections in the NETLOGON
> server are a bit stronger, but your issue is that the KDC is now
> issuing the ticket, and perhaps that isn't checking the optional
> 'workstation name' 'address' that is put in the krb5
request.
>
> The correct way to enforce a login restriction would be to deny the
> service ticket, but then we would have to tell which TGS-REQ packets
> were for desktop logon, and which were for other services on other
> hosts.
>
> All in all, this is very hard to on the DC.  The workstation itself
> would be better placed to enforce such a restriction as an ACL, but I
> don't know of a way to do that.
>
> Andrew Bartlett
>
Not sure how you are restricting access but I normally use Microsoft's 
ADUC tool for this purpose. Open the object you would like to restrict 
and choose the account tab then finally 'Log On To' option. You can then
define what workstations the user is limited to.

-- 
- James

hi andrew and james,

my configurations is made from aduc tools as you described but doesn't work
correctly
about andrew message about this issue, I understand that is an issue and is
not solved and any solutions is available... only workaround is disable log
on restrictions in aduc, then works, but without security...
additional information with samba 3 and nt domain was working perfect

thanks



2016-11-01 6:57 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:
> On Sun, 2016-10-30 at 20:20 +0100, Trenta sis via samba wrote:
> > Hi,
> >
> > After a migration from samba 3 nt domain to samba 4 AD we have
> > detected
> > that Workstation Logon Restrictions (Log On To) is not working
> > correctly,
> > with samba 3 was working perfect, but after migration we have
> > detected that
> > some resources are not available, for example roaming profiles, home
> > folders... we have tried to add as log on to workstations  samba
> > machine
> > (dc), machine that has roaming profiles, home folders.... but without
> > success only works if we disable all restrictions to log on to, but
> > then
> > for our environment is a security problem
> >
> > How can I solve?
>
> The implementation of the workstation logon restrictions has always
> been a bit of a hack in Windows domains, and so to in Samba.  In NTLM,
> it was enforced largely by the client-supplied and unverified
> 'workstation' in the NTLM packet.  The protections in the NETLOGON
> server are a bit stronger, but your issue is that the KDC is now
> issuing the ticket, and perhaps that isn't checking the optional
> 'workstation name' 'address' that is put in the krb5
request.
>
> The correct way to enforce a login restriction would be to deny the
> service ticket, but then we would have to tell which TGS-REQ packets
> were for desktop logon, and which were for other services on other
> hosts.
>
> All in all, this is very hard to on the DC.  The workstation itself
> would be better placed to enforce such a restriction as an ACL, but I
> don't know of a way to do that.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>