Failed With Error Nt_status_invalid_workstation
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] Few questions. 1) Does the proxy server has and A and PTR record 2) Did you enable the windows authentication in the browser 3) did you add the domain in the local intranet sites. 4) you cannot use "transparent" with authenticaion. ( wel you keep getting a popup ) and go read : https://community.zarafa.com/pg/blog/read/18332/zarafa-outlook-amp-webaccess-sso-with-samba4 yes no proxy, but all the pointers you need. for the squid host you need the HOST and HTTP spn. This is what i have on my proxy. ( not kerberos but ldap auth ) ## squid-01-01-auth-AD.conf ## AUTHENTICATION TO ACTIVE DIRECTORY # auth_param basic program /usr/lib/squid3/basic_ldap_auth -R \ -b "OU=domain,DC=internal,DC=domain,DC=tld" \ -D ldap-bind at internal.domain.tld -W /etc/squid3/private/ldap-bind \ -f (|(userPrincipalName=%s)(sAMAccountName=%s)) \ -h dc1.internal.domain.tld auth_param basic children 50 auth_param basic realm domain Secured Internet Proxy auth_param basic credentialsttl 3 hours # Basic Ldap auth as fallback authentication auth_param basic program /usr/lib/squid3/basic_ldap_auth -v 3 \ -b "dc=internal,dc=domain,dc=tld" \ -D cn=replicator,dc=internal,dc=domain,dc=tld -W /etc/squid3/private/ldap-bind \ -f uid=%s ldap.internal.domain.tld auth_param basic realm domain Internet Proxy. auth_param basic children 50 auth_param basic credentialsttl 3 hours acl authenticated proxy_auth REQUIRED Kerberos is next to be tested, but same as you im waiting for samba 4.2 or if you run debian you can use samba 3.6 for the winbind auth. that the first im going to test. Above it running on debian wheezy with squid 3.3.8 ( backported from Debian jessie ) Greetz, Louis >-----Oorspronkelijk bericht----- >Van: rowlandpenny at googlemail.com >[mailto:samba-bounces at lists.samba.org
Login: [x] First Last Prev Next This bug is not in your last search results. Bug40322 - mount fails port 445 with NT_STATUS_INVALID_WORKSTATION but works port 139 Summary: mount fails port 445 with NT_STATUS_INVALID_WORKSTATION but works port 139 Status: RESOLVED OBSOLETE Product: File System Classification: Unclassified Component: CIFS Hardware: All Linux Importance: P1 normal Assigned To: fs_cifs URL: Keywords: Depends on: Blocks: Show dependency tree /graph Reported: 2011-07-29 09:31 UTC https://lists.samba.org/archive/samba/2014-November/186750.html by Sean Finney Modified: 2012-08-30 09:27 UTC (History) CC List: 2 users (show) alan jlayton See Also: Kernel Version: Tree: Mainline Regression: No Attachments Add an attachment (proposed patch, testcase, etc.) Description Sean Finney 2011-07-29 09:31:08 UTC Okay, In the current situation we have a windows-served fileshare "fs/share", an AD account "fsuser", and a linux client "fsclient". https://bugzilla.kernel.org/show_bug.cgi?id=40322 "fsuser" is a restricted account which can only log in to a small number of machines (including "fs"). The account itself is okay, and in fact can be used to connect to the share without problem using smbclient. However, when attempting to mount.cifs the share, we get a server response: admin@fsclient:~$ sudo mount -t cifs -o 'username=fsuser,password=fspass' //fs/share /mnt mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) dmesg: [91939.877791] Status code returned 0xc0000070 NT_STATUS_INVALID_WORKSTATION [91939.877804] CIFS VFS: Send error in SessSetup = -13 [91939.877811] CIFS VFS: cifs_mount failed w/return code = -13 Looking at a packet capture, it does not seem as though "fsclient" is included anywhere in the initial SetupAndX request, which then fails with the above NT error code. However, looking at a packet capture of smbclient (which does NTLMSSP instead of straight ntlm, in case it matters), "fsclient" is in fact included as a parameter in the negotiation process. So i spent a while R'ing TFM on mount.cifs, and found this option
can only logon to specific window workstation. Now, we want toconfigure the samba AD as the user http://samba.samba.narkive.com/kaP2jfVC/ntlm-auth-nt-status-invalid-workstation-question authentication of squid. I use thefollowing configuration in squid. The users without workstation limitationcan successfully authenticate to squid, but the user with workstationlimitation cannot.############################ squid.conf Start #############################auth_param ntlm program /usr/bin/ntlm_auth3--helper-protocol=squid-2.5-ntlmsspauth_param ntlm children 30auth_param ntlm keep_alive onauth_param basic program /usr/bin/ntlm_auth3--helper-protocol=squid-2.5-basicauth_param basic children 5auth_param failed with basic realm Welcome to proxy!auth_param basic credentialsttl 2 hours############################ squid.conf End #############################So, I manually tried ntlm_auth3 command, and seems I can never login evenenter the correct workstation name.[***@squid_server ~]# ntlm_auth3 --username=dummy --password=1234567AbcNT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)[***@squid_server ~]# ntlm_auth3 --username=dummy --password=1234567Abc--workstation=squid_serverNT_STATUS_INVALID_WORKSTATION: Invalid workstation (0xc0000070)[***@gate01 ~]# failed with error wbinfo -a dummy%1234567Abcplaintext password authentication failedCould not authenticate user dummy%1234567Abc with plaintext passwordchallenge/response password authentication failederror code was NT_STATUS_INVALID_WORKSTATION (0xc0000070)error message was: Invalid workstationCould not authenticate user dummy with challenge/responseNow when I add Domain Controller's NetBIOS Name to the allowed workstationlist for that user, I can authenticate successfully.[***@DC]# ntlm_auth --username=dummy --password=1234567AbcNT_STATUS_OK: Success (0x0)However, other samba3/samba4 member server cannot authenticate using NTLM.The result is just as above mentioned.One more question, I have seen the release note said server services shouldconfigured as winbindd instead of winbind in smb.conf. Is it correct forSamba AD domain controller setup ? I tried this configuration but sambaseems never startup correctly.Thanks a million.Best,Kelvin Yip--To unsubscribe from this list go to the following URL and read theinstructions: https://lists.samba.org/mailman/options/samba Rowland Penny 2014-11-11 11:32:37 UTC Permal