Trenta sis
2016-Nov-01 18:27 UTC
[Samba] Workstation Logon Restrictions (Log On To) with samba 4 AD
hi andrew and james, my configurations is made from aduc tools as you described but doesn't work correctly about andrew message about this issue, I understand that is an issue and is not solved and any solutions is available... only workaround is disable log on restrictions in aduc, then works, but without security... additional information with samba 3 and nt domain was working perfect thanks 2016-11-01 6:57 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:> On Sun, 2016-10-30 at 20:20 +0100, Trenta sis via samba wrote: > > Hi, > > > > After a migration from samba 3 nt domain to samba 4 AD we have > > detected > > that Workstation Logon Restrictions (Log On To) is not working > > correctly, > > with samba 3 was working perfect, but after migration we have > > detected that > > some resources are not available, for example roaming profiles, home > > folders... we have tried to add as log on to workstations samba > > machine > > (dc), machine that has roaming profiles, home folders.... but without > > success only works if we disable all restrictions to log on to, but > > then > > for our environment is a security problem > > > > How can I solve? > > The implementation of the workstation logon restrictions has always > been a bit of a hack in Windows domains, and so to in Samba. In NTLM, > it was enforced largely by the client-supplied and unverified > 'workstation' in the NTLM packet. The protections in the NETLOGON > server are a bit stronger, but your issue is that the KDC is now > issuing the ticket, and perhaps that isn't checking the optional > 'workstation name' 'address' that is put in the krb5 request. > > The correct way to enforce a login restriction would be to deny the > service ticket, but then we would have to tell which TGS-REQ packets > were for desktop logon, and which were for other services on other > hosts. > > All in all, this is very hard to on the DC. The workstation itself > would be better placed to enforce such a restriction as an ACL, but I > don't know of a way to do that. > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/ > services/samba > >
Trenta sis
2016-Nov-02 20:59 UTC
[Samba] Workstation Logon Restrictions (Log On To) with samba 4 AD
hi, Can I do any action to recover this feature or similar feature as It was available to samba 3? thanks 2016-11-01 19:27 GMT+01:00 Trenta sis <trenta.sis at gmail.com>:> hi andrew and james, > > my configurations is made from aduc tools as you described but doesn't > work correctly > about andrew message about this issue, I understand that is an issue and > is not solved and any solutions is available... only workaround is disable > log on restrictions in aduc, then works, but without security... > additional information with samba 3 and nt domain was working perfect > > thanks > > > > > 2016-11-01 6:57 GMT+01:00 Andrew Bartlett <abartlet at samba.org>: > >> On Sun, 2016-10-30 at 20:20 +0100, Trenta sis via samba wrote: >> > Hi, >> > >> > After a migration from samba 3 nt domain to samba 4 AD we have >> > detected >> > that Workstation Logon Restrictions (Log On To) is not working >> > correctly, >> > with samba 3 was working perfect, but after migration we have >> > detected that >> > some resources are not available, for example roaming profiles, home >> > folders... we have tried to add as log on to workstations samba >> > machine >> > (dc), machine that has roaming profiles, home folders.... but without >> > success only works if we disable all restrictions to log on to, but >> > then >> > for our environment is a security problem >> > >> > How can I solve? >> >> The implementation of the workstation logon restrictions has always >> been a bit of a hack in Windows domains, and so to in Samba. In NTLM, >> it was enforced largely by the client-supplied and unverified >> 'workstation' in the NTLM packet. The protections in the NETLOGON >> server are a bit stronger, but your issue is that the KDC is now >> issuing the ticket, and perhaps that isn't checking the optional >> 'workstation name' 'address' that is put in the krb5 request. >> >> The correct way to enforce a login restriction would be to deny the >> service ticket, but then we would have to tell which TGS-REQ packets >> were for desktop logon, and which were for other services on other >> hosts. >> >> All in all, this is very hard to on the DC. The workstation itself >> would be better placed to enforce such a restriction as an ACL, but I >> don't know of a way to do that. >> >> Andrew Bartlett >> >> -- >> Andrew Bartlett http://samba.org/~abartlet/ >> Authentication Developer, Samba Team http://samba.org >> Samba Developer, Catalyst IT http://catalyst.net.nz/service >> s/samba >> >> >
Andrew Bartlett
2016-Nov-02 22:02 UTC
[Samba] Workstation Logon Restrictions (Log On To) with samba 4 AD
On Wed, 2016-11-02 at 21:59 +0100, Trenta sis wrote:> hi, > > > Can I do any action to recover this feature or similar feature as It > was available to samba 3?At this stage it needs some development, to add comprehensive tests and the feature re-added to the KDC, assuming that is practical in the current architecture. You are welcome to file a bug, but I sense this one will need a reasonable chunk of work to ensure not just it is fixed, but stays fixed. Andrew Bartlett> thanks > > 2016-11-01 19:27 GMT+01:00 Trenta sis <trenta.sis at gmail.com>: > > hi andrew and james, > > > > my configurations is made from aduc tools as you described but > > doesn't work correctly > > about andrew message about this issue, I understand that is an > > issue and is not solved and any solutions is available... only > > workaround is disable log on restrictions in aduc, then works, but > > without security... > > additional information with samba 3 and nt domain was working > > perfect > > > > thanks > > > > > > > > > > 2016-11-01 6:57 GMT+01:00 Andrew Bartlett <abartlet at samba.org>: > > > On Sun, 2016-10-30 at 20:20 +0100, Trenta sis via samba wrote: > > > > Hi, > > > > > > > > After a migration from samba 3 nt domain to samba 4 AD we have > > > > detected > > > > that Workstation Logon Restrictions (Log On To) is not working > > > > correctly, > > > > with samba 3 was working perfect, but after migration we have > > > > detected that > > > > some resources are not available, for example roaming profiles, > > > home > > > > folders... we have tried to add as log on to > > > workstations samba > > > > machine > > > > (dc), machine that has roaming profiles, home folders.... but > > > without > > > > success only works if we disable all restrictions to log on to, > > > but > > > > then > > > > for our environment is a security problem > > > > > > > > How can I solve? > > > > > > The implementation of the workstation logon restrictions has > > > always > > > been a bit of a hack in Windows domains, and so to in Samba. In > > > NTLM, > > > it was enforced largely by the client-supplied and unverified > > > 'workstation' in the NTLM packet. The protections in the > > > NETLOGON > > > server are a bit stronger, but your issue is that the KDC is now > > > issuing the ticket, and perhaps that isn't checking the optional > > > 'workstation name' 'address' that is put in the krb5 request. > > > > > > The correct way to enforce a login restriction would be to deny > > > the > > > service ticket, but then we would have to tell which TGS-REQ > > > packets > > > were for desktop logon, and which were for other services on > > > other > > > hosts. > > > > > > All in all, this is very hard to on the DC. The workstation > > > itself > > > would be better placed to enforce such a restriction as an ACL, > > > but I > > > don't know of a way to do that. > > > > > > Andrew Bartlett > > > > > > -- > > > Andrew Bartlett http://samba.org/~abartlet/ > > > Authentication Developer, Samba Team http://samba.org > > > Samba Developer, Catalyst IT http://catalyst.net.nz/serv > > > ices/samba > > > > > > > > > > > >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Apparently Analagous Threads
- Workstation Logon Restrictions (Log On To) with samba 4 AD
- Workstation Logon Restrictions (Log On To) with samba 4 AD
- Workstation Logon Restrictions (Log On To) with samba 4 AD
- Samba 4.4 AD DC and GET_ANC restriction from Samba 4.5 DC joining (was: Re: Error join samba 4.10.7 to samba 4.4.5)
- Duplicate attribute value warnings from ldb