Bug 3248 - winbind-error in handling ntlmv2-protocol
Summary: winbind-error in handling ntlmv2-protocol
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.20b
Hardware: x86 Windows XP
: P3 critical
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
Depends on:
Reported: 2005-11-08 04:44 UTC by Stefan Burkei
Modified: 2006-01-19 15:07 UTC (History)
2 users (show)

See Also:

The patch was only tested with samba-3.0.21a (333 bytes, patch)
2006-01-19 14:57 UTC, Stefan Burkei
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Burkei 2005-11-08 04:44:12 UTC
A user which is restricted to logon from a dedicated workstation will not be
authenticated, if the samba-server which runs in ads mode uses another
w2k-domain-controller for authentication requests as the one which is used by
the workstation the user logs on. The problem appears with version 3.0.20b.
Downgrading to 3.0.13 doesn't show this failure. I didn't check 3.0.14.

Here is the smb.conf:

        display charset = UTF-8
        workgroup = dom
        server string = Proxy-Server
        interfaces = eth0
        realm = REALM.DOMAIN.DE
        security = ads
        password server = domcontroller
        encrypt passwords = Yes
        paranoid server security = No
        passdb backend = tdbsam, guest
        idmap gid = 39000-40000
        idmap uid = 39000-40000
        username map = /etc/samba/users.map
        printing = bsd
        load printers = Yes
        printcap name = /etc/printcap
        printer admin = root
        logon script = logon.bat
        logon path = \\%L\profile\%U
        logon home = \\%L\%U\profile
        domain logons = No
        os level = 2
        preferred master = No
        local master = No
        domain master = No
        browse list = No
        wins server = domcontroller
Comment 1 Björn Jacke 2005-11-29 03:33:27 UTC
I can confirm this is broken in 3.0.20 and it worked until 3.0.14
Comment 2 Björn Jacke 2005-12-01 02:40:59 UTC
this is not just an issue in security=ads but also with security=domain mode.
Comment 3 Stefan Burkei 2006-01-19 14:57:20 UTC
Created attachment 1703 [details]
The patch was only tested with samba-3.0.21a

After a few hours of debugging I found out, that the problem exists not only with a w2k-ad. The error occurs in a samba controlled domain too when you restrict a user to be logged on from certain workstation(s). When the authentication-chain is squid->ntlm_auth->winbind->samba it is not the name of workstation which appears in the deubug-log but the name of the server the squid process runs on.
The applied patch solves the problem.
Comment 4 Jeremy Allison 2006-01-19 15:07:34 UTC
Great fix ! Thanks - this will be fixed for 3.0.21b.