Authentication through transitive trusts

Marc Kaplan MKaplan at snapappliance.com
Sat Jul 19 01:17:46 GMT 2003 

On revision to:
> What I
> just found is that it doesn't matter if you connect with a 
> downlevel client,
> the ldap record gets changed when ANY client tries to connect. 
It's actually that when any client connects using NTLM. If a client tries a
kerberos connection, the machine account doesn't get destroyed. But even so
this is a very serious problem IMHO -- and it needs to be fixed.

			-Marc
> -----Original Message-----
> From: Marc Kaplan 
> Sent: Friday, July 18, 2003 3:29 PM
> To: 'Antti.Andreimann at mail.ee'; samba-technical at lists.samba.org
> Subject: RE: Authentication through transitive trusts
> 
> 
> I actually have noticed that the operatingSystem and the
> operatingSystemVersion change, but I never correlated it to 
> anything. What I
> just found is that it doesn't matter if you connect with a 
> downlevel client,
> the ldap record gets changed when ANY client tries to connect. 
> 
> Here are the steps I took:
> 1. Joined the ads domain
> 2. Ran a net ads status
> 3. Connect via smb (net use * \\sambaserver\share1) using the 
> DC as a client
> i.e DC--conn--->Samba Server
> 4. Ran a net ads status.
> 
> I'm attaching the result of 2. 4. and a diff of the two.
> 
> 
> 
> > -----Original Message-----
> > From: Antti Andreimann [mailto:Antti.Andreimann at mail.ee]
> > Sent: Friday, July 18, 2003 1:50 PM
> > To: samba-technical at lists.samba.org
> > Subject: RE: Authentication through transitive trusts
> > 
> > 
> > Marc Kaplan wrote:
> > 
> > > win2k->win2k uses Kerberos, and win2k->nt4 users NTLMSSP, 
> > so it seems like
> > > the win2k box thinks the Samba Server is a downlevel client 
> > (or at least
> > > only supports NTLM).
> > 
> > I am sorry, I didn't catch the head of this thread, but have 
> > You looked into
> > what AD thinks about the operating system of Your samba host.
> > I had a problem when AD automatically degraded samba to NT4.0 
> > when it tried
> > to authenticate non-kerberos users against it with NTLM. 
> > Naturally after
> > that none of the w2k hosts were able to use kerberos tickets 
> > to connect to
> > samba any more.
> > You can check if this is the case when You look at the 
> > machine LDAP entry by
> > executing net ads status (or was it net ads info, sorry I 
> > seem to have an
> > altzheimer, and I don't have Samba3.0 box here at home to 
> > look it up from).
> > If You do not see any attributes referring to kerberos principals
> > (HOST/hostname at REALM) then Your trust account has been 
> > castrated by AD-s
> > "convenience features".
> > 
> > I have a patch for that, but unfortunately I have not had 
> > enough time to
> > clean up all the other bits as well prior to submitting them 
> > to Andrew (I
> > know, the release time is ticking).
> > 
> > -- 
> >               Antti Andreimann
> >          Using Linux since 1993
> >   Member of ELUG since 29.01.2000
> > 
> 
>

More information about the samba-technical mailing list