Preface: I've done my homework. Questions and answers such as these ones don't seem to address the specific nature of my question. My google-fu is apparently not strong enough since the search terms I've used all lead me to various solutions which do not include the workstation name nor a way to specify the workstation name I'm checking for.
Background: I have a Redmine server running on Debian that uses LDAP authentication to a local Windows 2003 Small Business Server Active Directory. I have this working fine and it works great.
... Except for one user who is restricted to logging in from his own workstation.
I thought this would be a simple matter of configuring Samba to join the domain using AD and then just adding the Linux box's NetBIOS name to the list of machines that this user can log in from. This is unfortunately not true. I have verified that the NetBIOS name REDMINE exists in the list of domain machines on the Windows 2003 server and I have also verified that there are no obvious issues between the Samba server and the Windows 2003 server. I'm not looking for the Linux logins to be verified against AD or anything like that.
Looking at packet captures and Windows event log audit details, it appears that Windows 2003 defaults to the AD's NetBIOS name when the LDAP bind attempt comes in. I see in the event log that a login attempt for user myusername for workstation SERVERNAME, but with the correct Redmine server IP address:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 533
Date: 6/3/2014
Time: 7:57:42 PM
User: NT AUTHORITY\SYSTEM
Computer: SERVERNAME
Description:
Logon Failure:
Reason: User not allowed to logon at this computer
User Name: myusername
Domain: DOMAINNAME
Logon Type: 3
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: SERVERNAME
Caller User Name: SERVERNAME$
Caller Domain: DOMAINNAME
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 544
Transited Services: -
Source Network Address: redmine.server.ip
Source Port: 47721
Nowhere in the LDAP query from Redmine does SERVERNAME appear in the query, which is why I'm sure this is coming from the Windows server. If I add the AD server NetBIOS name to the list of allowed workstations this user may log in from, Redmine's query succeeds and the user can log in to Redmine.
The sanitized bind information is as follows:
CN=Firstname Lastname,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=domainname,DC=local
The password provided is obviously correct as well. The returned error makes sense, given that Windows is sure I'm trying to log in from SERVERNAME and not REDMINE:
W80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 531, vece
(code 531 means "user is not allowed to log in to this machine")
Does anyone know how to create an LDAP login query against a Windows 2003 server which specifies which workstation to check the login against?
