Machine account getting trashed (Was: Authentication through tran sitive trusts)

Marc Kaplan MKaplan at snapappliance.com
Wed Jul 23 22:49:49 GMT 2003 

List:

This may be rehashing already extant data re: this post, but I want to send
some traces that I've done recently.

Samba domain member trace:
Let me introduce the cast of characters

172.16.203.102: Win2k client, no service pack installed
172.16.203.107: Samba domain member server (running alpha19)
172.16.203.201: Win2k DC (KDC in this case)

In the first trace (hostentry-not-corrupted.ethereal.cap), I joined the
domain, and then from the win2k client I did a find computer, and searched
for the Samba server by hostname, and connected by hostname. My brief look
at it shows that at first we offer Kerberos and ntlmssp, and the client
chooses ntlmssp.  Seems that later the client does another negotiate
protocol request, and then we use Kerberos.

In the second trace (hostentry-corrupted.ethereal.cap), I joined the domain,
and then from the win2k client I did a find computer, and searched for the
Samba server by IP, and connected by IP.  Seems that in the TGS-REQ the
win2k client asks the KDC for the principal 172.16.203.107 at win2kdom.snap2,
which is wrong (correct is mkaplan-manta1 at win2kdom.snap2), and KRB-ERR is
returned to the client, who then tries NTLMSSP.


Win2k domain member trace:
The next set of traces have the following characters:
172.16.203.102: Win2k client, no service pack installed
172.16.203.220: Win2k domain member server 
172.16.203.201: Win2k DC (KDC in this case)

In the first trace (hostentry-not-corrupted-win2kbyhostname.ethereal.cap), I
joined the domain with the win2k domain member server, did a find computer
and searched and connected by hostname.

In the second trace (hostentry-not-corrupted-win2kbyip.ethereal.cap), I
joined the domain with the win2k domain member server, did a find computer
and search and connected by IP.

The question is why does the host account not get trashed in
hostentry-not-corrupted-win2kbyip.ethereal.cap when the same set of
behaviors for samba in hostentry-corrupted.ethereal.cap corrupted it?

Let me know if I can provide some more information.

				-Marc


> -----Original Message-----
> From: Richard Sharpe [mailto:rsharpe at richardsharpe.com]
> Sent: Saturday, July 19, 2003 8:28 AM
> To: Antti Andreimann
> Cc: samba-technical at lists.samba.org
> Subject: RE: Authentication through transitive trusts
> 
> 
> On Sat, 19 Jul 2003, Antti Andreimann wrote:
> 
> > >> I speculated that it was because Kerberos authentication 
> wasn't being
> > >> performed.  I don't know that for a fact, but it seams 
> reasonable.
> > > 
> > > You are absolutely correct here. Samba responds in a way 
> that forces the
> > > client to go straight to NTLMSSP rather than using the 
> offered KRB5.
> > >  
> > >> If that is the cause, then wouldn't "fixing up the 
> kerberos case" be the
> > >> only solution?
> > > 
> > > Correct. However, we have to figure out what we are doing 
> wrong in the
> > > NegProt response that causes the client to ignore the 
> offered KRB5.
> > 
> > I am not sure if the problem is in NegProt response at all.
> > It seems to me that w2k completely ignores the principial 
> offered there and
> > uses the information it gets from AD instead.
> > There could be two reasons for that:
> > 1. W2K does not understand the NegProt response it gets.
> > 2. W2K is designed to ignore what server tells when AD is available.
> > 
> > Based on my previous experiences with microsoft stuff I'm 
> assuming that case
> > two is more likley to be the correct one.
> 
> OK, I had not considered that. Samba sent back a reasonable looking 
> principle in the trace I have access to. hostname$@WIN1DOM.LOCAL
> 
> Regards
> -----
> Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
> sharpe[at]ethereal.com, http://www.richardsharpe.com
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: hostentry-not-corrupted-win2kbyhostname.ethereal.cap
Type: application/octet-stream
Size: 37827 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030723/c2987435/hostentry-not-corrupted-win2kbyhostname.ethereal.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hostentry-not-corrupted-win2kbyip.ethereal.cap
Type: application/octet-stream
Size: 30245 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030723/c2987435/hostentry-not-corrupted-win2kbyip.ethereal.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hostentry-corrupted.ethereal.cap
Type: application/octet-stream
Size: 45328 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030723/c2987435/hostentry-corrupted.ethereal.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hostentry-not-corrupted.ethereal.cap
Type: application/octet-stream
Size: 47695 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030723/c2987435/hostentry-not-corrupted.ethereal.obj

More information about the samba-technical mailing list