[Samba] desactivating NTLM fallback when accessing a share and
kerberos auth fails
Guillaume Rousse
Guillaume.Rousse at inria.fr
Thu Feb 12 08:49:01 GMT 2009
Volker Lendecke a écrit :
> On Wed, Feb 11, 2009 at 05:10:02PM +0100, Guillaume Rousse wrote:
>> Guillaume Rousse a écrit :
>>> For members of the domain, tough, the client first attempt a kerberos
>>> auth, which fails, as he is not using print server FQDN, and doesn't
>>> performs host name canonicalization.
>> Actually, from reading the logs, this is false: samba doesn't even
>> attempt to perform a kerberos auth when a share is accessed through a
>> non-FQDN name, but directly attempts NTLM:
>>
>> [2009/02/11 16:59:46, 3]
>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
>> Doing spnego session setup
>> [2009/02/11 16:59:46, 3]
>> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
>> NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows
>> 2002 5.1] PrimaryDomain=[]
>> [2009/02/11 16:59:46, 10] smbd/sesssetup.c:check_spnego_blob_complete(1121)
>> check_spnego_blob_complete: needed_len = 180, pblob->length = 180
>> [2009/02/11 16:59:46, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745)
>> Got user=[rousse] domain=[MSR-INRIA] workstation=[OBERKAMPF] len1=24
>> len2=24
>> [2009/02/11 16:59:46, 5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(68)
>> auth_context challenge set by NTLMSSP callback (NTLM2)
>
> Look at the sniff. Your KDC sends a PRINCIPAL_UNKNOWN when
> the client asks for the ticket with the wrong servername.
> The client then falls back to ntlmssp.
OK, so my initial assumption was not totally erroneous :)
Is there any way to either:
- perform some kind of name canonicalization, either on client or server
side ?
- desactivate any kind of authentication but kerberos, either for this
share, or globally ?
--
BOFH excuse #417:
Computer room being moved. Our systems are down for the weekend.
More information about the samba
mailing list