Problem: The smbcacls command returns NT_STATUS_INVALID_WORKSTATION

Problem

root@ucs-server:~# smbcacls "//$(hostname -f)/user1" / -U user1
[...]
cli_full_connection failed! (NT_STATUS_INVALID_WORKSTATION)

Solution

Check the userWorkstation attribute in Samba/AD, probably that’s set:

root@ucs-server:~# univention-s4search samaccountname=user1 userworkstations
# record 1
dn: CN=user1,OU=my-ou,DC=my-domain,DC=com
userWorkstations: DESKTOP-2BRDJG2

If that is the case, then the smbcacls command line option --netbiosname can be used to simulate coming from that worstation:

root@ucs-server:~# smbcacls "//$(hostname -f)/user1" / -U user1 \
                            --netbiosname DESKTOP-2BRDJG2    ## or -n
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:MY-DOMAIN+user1
GROUP:MY-DOMAIN+Domain Users DEMOSCHOOL
ACL:MY-DOMAIN+user1:DENIED/OI|CI/PO
ACL:MY-DOMAIN+user1:ALLOWED/0x0/FULL
ACL:MY-DOMAIN+Domain Users DEMOSCHOOL:ALLOWED/0x0/
ACL:Everyone:ALLOWED/0x0/
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:CREATOR GROUP:ALLOWED/OI|CI|IO/READ
ACL:Everyone:ALLOWED/OI|CI|IO/READ
ACL:OWNER RIGHTS:ALLOWED/OI|CI/CHANGE
Mastodon