[Samba] desactivating NTLM fallback when accessing a share and kerberos auth fails

Guillaume Rousse Guillaume.Rousse at inria.fr
Wed Feb 11 16:10:02 GMT 2009 

Guillaume Rousse a écrit :
> For members of the domain, tough, the client first attempt a kerberos 
> auth, which fails, as he is not using print server FQDN, and doesn't 
> performs host name canonicalization. 
Actually, from reading the logs, this is false: samba doesn't even 
attempt to perform a kerberos auth when a share is accessed through a 
non-FQDN name, but directly attempts NTLM:

[2009/02/11 16:59:46,  3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
   Doing spnego session setup
[2009/02/11 16:59:46,  3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
   NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 
2002 5.1] PrimaryDomain=[]
[2009/02/11 16:59:46, 10] smbd/sesssetup.c:check_spnego_blob_complete(1121)
   check_spnego_blob_complete: needed_len = 180, pblob->length = 180
[2009/02/11 16:59:46,  3] libsmb/ntlmssp.c:ntlmssp_server_auth(745)
   Got user=[rousse] domain=[MSR-INRIA] workstation=[OBERKAMPF] len1=24 
len2=24
[2009/02/11 16:59:46,  5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(68)
   auth_context challenge set by NTLMSSP callback (NTLM2)

When using a FQDN, this becomes:

[2009/02/11 16:57:33,  3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
   Doing spnego session setup
[2009/02/11 16:57:33,  3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
   NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 
2002 5.1] PrimaryDomain=[]
[2009/02/11 16:57:33, 10] smbd/password.c:register_initial_vuid(194)
   register_initial_vuid: allocated vuid = 114
[2009/02/11 16:57:33, 10] smbd/sesssetup.c:check_spnego_blob_complete(1121)
   check_spnego_blob_complete: needed_len = 1365, pblob->length = 1365
[2009/02/11 16:57:33,  5] smbd/sesssetup.c:parse_spnego_mechanisms(749)
   parse_spnego_mechanisms: Got OID 1 2 840 48018 1 2 2
[2009/02/11 16:57:33,  5] smbd/sesssetup.c:parse_spnego_mechanisms(749)
   parse_spnego_mechanisms: Got OID 1 2 840 113554 1 2 2
[2009/02/11 16:57:33,  5] smbd/sesssetup.c:parse_spnego_mechanisms(749)
   parse_spnego_mechanisms: Got OID 1 3 6 1 4 1 311 2 2 10
[2009/02/11 16:57:33,  3] smbd/sesssetup.c:reply_spnego_negotiate(800)
   reply_spnego_negotiate: Got secblob of size 1299
[2009/02/11 16:57:33, 10] 
libads/kerberos_verify.c:ads_secrets_verify_ticket(273)

Can someone enlighten me about this behaviour difference ?

More information about the samba mailing list