A user which is restricted to logon from a dedicated workstation will not be authenticated, if the samba-server which runs in ads mode uses another w2k-domain-controller for authentication requests as the one which is used by the workstation the user logs on. The problem appears with version 3.0.20b. Downgrading to 3.0.13 doesn't show this failure. I didn't check 3.0.14. Here is the smb.conf: [global] display charset = UTF-8 workgroup = dom server string = Proxy-Server interfaces = eth0 realm = REALM.DOMAIN.DE security = ads password server = domcontroller encrypt passwords = Yes paranoid server security = No passdb backend = tdbsam, guest idmap gid = 39000-40000 idmap uid = 39000-40000 username map = /etc/samba/users.map printing = bsd load printers = Yes printcap name = /etc/printcap printer admin = root logon script = logon.bat logon path = \\%L\profile\%U logon home = \\%L\%U\profile domain logons = No os level = 2 preferred master = No local master = No domain master = No browse list = No wins server = domcontroller
I can confirm this is broken in 3.0.20 and it worked until 3.0.14
this is not just an issue in security=ads but also with security=domain mode.
Created attachment 1703 [details] The patch was only tested with samba-3.0.21a After a few hours of debugging I found out, that the problem exists not only with a w2k-ad. The error occurs in a samba controlled domain too when you restrict a user to be logged on from certain workstation(s). When the authentication-chain is squid->ntlm_auth->winbind->samba it is not the name of workstation which appears in the deubug-log but the name of the server the squid process runs on. The applied patch solves the problem.
Great fix ! Thanks - this will be fixed for 3.0.21b. Jeremy.