[cifs-protocol] NTLM username / password routing on member servers and on an AD DC
abartlet at samba.org
Tue Aug 19 21:38:35 MDT 2014
I've got Samba to the point where Samba can be a subdomain to a windows
AD domain, something we have been working on for a number of years.
As context, we did some work on this at a number of previous plugfest
events, and this work has been mostly to re-animate this effort, and to
make it useful to end users, by having it also work for NTLM
In doing NTLM authentication, it has become clear to me that I need a
much more correct routing solution than I've used to date. That is, for
a username of user at mycompany.com (A UPN not associated with any domain),
user at my.domain.com, user at sub.my.domain.com or SUB\user, how do I,
potentially not being a global catalog server, work out that a user has
this SPN, and route that to the appropriate trusted domain?
How should I work these things out first as a domain member (eg a file
server), and more particularly as a DC?
It appears from our previous investigations that as a domain member, we
should authenticate locally if the username in SERVER\user, then forward
to a DC, and if the DC returns NO_SUCH_USER but not authoritative (a
flag on the SamLogon reply), then to try and authenticate locally.
Is there a similar pattern of forwarding required on the DC, perhaps to
a global catalog server who may know the fill set of users in the
As an added degree of difficultly, If there are 3 domains, in the
typical parent-and-two-child pattern, how do I work out the 'route'
across the transitive trust?
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the cifs-protocol