[cifs-protocol] 114082011718524 NTLM username / password routing on member servers and on an AD DC

Sreekanth Nadendla srenaden at microsoft.com
Wed Aug 20 08:36:47 MDT 2014

Casemail in Cc
Dochelp in Bcc

Hello Andrew Bartlett,
                                       Thank you for your inquiry about Active Directory protocols. We have created incident 114082011718524 to track the investigation for this issue. One of the Open specifications team member will contact you shortly.

Sreekanth Nadendla
Microsoft Windows Open Specifications

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Tuesday, August 19, 2014 11:39 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: NTLM username / password routing on member servers and on an AD DC

I've got Samba to the point where Samba can be a subdomain to a windows AD domain, something we have been working on for a number of years.

As context, we did some work on this at a number of previous plugfest events, and this work has been mostly to re-animate this effort, and to make it useful to end users, by having it also work for NTLM authentication.  

In doing NTLM authentication, it has become clear to me that I need a much more correct routing solution than I've used to date.  That is, for a username of user at mycompany.com (A UPN not associated with any domain), user at my.domain.com, user at sub.my.domain.com or SUB\user, how do I, potentially not being a global catalog server, work out that a user has this SPN, and route that to the appropriate trusted domain?  

How should I work these things out first as a domain member (eg a file server), and more particularly as a DC?

It appears from our previous investigations that as a domain member, we should authenticate locally if the username in SERVER\user, then forward to a DC, and if the DC returns NO_SUCH_USER but not authoritative (a flag on the SamLogon reply), then to try and authenticate locally.

Is there a similar pattern of forwarding required on the DC, perhaps to a global catalog server who may know the fill set of users in the forest?

As an added degree of difficultly, If there are 3 domains, in the typical parent-and-two-child pattern, how do I work out the 'route'
across the transitive trust?


Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list