A user which is restricted to logon from a dedicated workstation will not be
authenticated, if the samba-server which runs in ads mode uses another
w2k-domain-controller for authentication requests as the one which is used by
the workstation the user logs on. The problem appears with version 3.0.20b.
Downgrading to 3.0.13 doesn't show this failure. I didn't check 3.0.14.
Here is the smb.conf:
display charset = UTF-8
workgroup = dom
server string = Proxy-Server
interfaces = eth0
realm = REALM.DOMAIN.DE
security = ads
password server = domcontroller
encrypt passwords = Yes
paranoid server security = No
passdb backend = tdbsam, guest
idmap gid = 39000-40000
idmap uid = 39000-40000
username map = /etc/samba/users.map
printing = bsd
load printers = Yes
printcap name = /etc/printcap
printer admin = root
logon script = logon.bat
logon path = \\%L\profile\%U
logon home = \\%L\%U\profile
domain logons = No
os level = 2
preferred master = No
local master = No
domain master = No
browse list = No
wins server = domcontroller
I can confirm this is broken in 3.0.20 and it worked until 3.0.14
this is not just an issue in security=ads but also with security=domain mode.
Created attachment 1703 [details]
The patch was only tested with samba-3.0.21a
After a few hours of debugging I found out, that the problem exists not only with a w2k-ad. The error occurs in a samba controlled domain too when you restrict a user to be logged on from certain workstation(s). When the authentication-chain is squid->ntlm_auth->winbind->samba it is not the name of workstation which appears in the deubug-log but the name of the server the squid process runs on.
The applied patch solves the problem.
Great fix ! Thanks - this will be fixed for 3.0.21b.