Mike McCauley of OSC/Radiator provided me with this "quick and dirty fix":
in samba/source/rpc_client/cli_netlogon.c,
cli_netlogon_sam_network_logon() function
the param_ctrl flags passed to init_id_info2() are always set to 0 but
should be set to 0x800 (MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT)
to enable machine authentication.
Although kind of a shortcut, it works great if you need machine auth. Maybe
it can help someone else?
Thanks,
Matt
On Sun, 2005-10-02 at 11:25 -0400, Matthew Alexander wrote:
I am trying to use ntlm_auth for machine authentication requests
against a Win2003/AD from my RADIUS server. Normal, user
authentication works fine, but not machine authentication.
The username passed from RADIUS to ntlm-auth looks like host/pcname123.
I'm wondering if the "/" is killing it? The ntlm_auth man page says
that it expects only Samba's unix charset.
Does anyone have any ideas about how I can accomplish this? Thanks.
Machine accounts are a problem because historically, they were not
permitted to login with NTLMSSP. This appears to have changed, but
there must be some flag that windows domain members set, to change this
behaviour. I don't know what this is at this stage, so I either need to
see this done to a windows DC, by a windows VPN server (with a system
policy of 'secure channel: sign'), or try random things till it works...
....
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
