[cifs-protocol] NTLM username / password routing on member servers and on an AD DC

Andrew Bartlett abartlet at samba.org
Tue Aug 19 21:38:35 MDT 2014

I've got Samba to the point where Samba can be a subdomain to a windows
AD domain, something we have been working on for a number of years.

As context, we did some work on this at a number of previous plugfest
events, and this work has been mostly to re-animate this effort, and to
make it useful to end users, by having it also work for NTLM

In doing NTLM authentication, it has become clear to me that I need a
much more correct routing solution than I've used to date.  That is, for
a username of user at mycompany.com (A UPN not associated with any domain),
user at my.domain.com, user at sub.my.domain.com or SUB\user, how do I,
potentially not being a global catalog server, work out that a user has
this SPN, and route that to the appropriate trusted domain?  

How should I work these things out first as a domain member (eg a file
server), and more particularly as a DC?

It appears from our previous investigations that as a domain member, we
should authenticate locally if the username in SERVER\user, then forward
to a DC, and if the DC returns NO_SUCH_USER but not authoritative (a
flag on the SamLogon reply), then to try and authenticate locally.

Is there a similar pattern of forwarding required on the DC, perhaps to
a global catalog server who may know the fill set of users in the

As an added degree of difficultly, If there are 3 domains, in the
typical parent-and-two-child pattern, how do I work out the 'route'
across the transitive trust?


Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list