[cifs-protocol] [REG:114082011718524] 114082011718524 NTLM username / password routing on member servers and on an AD DC

Obaid Farooqi obaidf at microsoft.com
Wed Aug 20 17:14:00 MDT 2014

Hi Andrew:
I'll help you with this issue and will be in touch as soon as I have an answer.

Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: "Sreekanth Nadendla" <srenaden at microsoft.com> 
Sent: Wednesday, August 20, 2014 9:37 AM
To: "Andrew Bartlett" <abartlet at samba.org>
Cc: "cifs-protocol at samba.org" <cifs-protocol at samba.org>; "MSSolve Case Email" <casemail at microsoft.com>
Subject: [REG:114082011718524] 114082011718524 NTLM username / password routing on member servers and on an AD DC

Casemail in Cc
Dochelp in Bcc 

Hello Andrew Bartlett, 
                                       Thank you for your inquiry about Active Directory protocols. We have created incident 114082011718524 to track the investigation for this issue. One of the Open specifications team member will contact you shortly.

Sreekanth Nadendla
Microsoft Windows Open Specifications 

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Tuesday, August 19, 2014 11:39 PM
To: Interoperability Documentation Help
Cc: cifs-protocol at samba.org
Subject: NTLM username / password routing on member servers and on an AD DC 

I've got Samba to the point where Samba can be a subdomain to a windows AD domain, something we have been working on for a number of years.

As context, we did some work on this at a number of previous plugfest events, and this work has been mostly to re-animate this effort, and to make it useful to end users, by having it also work for NTLM authentication.

In doing NTLM authentication, it has become clear to me that I need a much more correct routing solution than I've used to date.  That is, for a username of user at mycompany.com (A UPN not associated with any domain), user at my.domain.com, user at sub.my.domain.com or SUB\user, how do I, potentially not being a global catalog server, work out that a user has this SPN, and route that to the appropriate trusted domain?

How should I work these things out first as a domain member (eg a file server), and more particularly as a DC? 

It appears from our previous investigations that as a domain member, we should authenticate locally if the username in SERVER\user, then forward to a DC, and if the DC returns NO_SUCH_USER but not authoritative (a flag on the SamLogon reply), then to try and authenticate locally.

Is there a similar pattern of forwarding required on the DC, perhaps to a global catalog server who may know the fill set of users in the forest?

As an added degree of difficultly, If there are 3 domains, in the typical parent-and-two-child pattern, how do I work out the 'route'

across the transitive trust? 


Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba 

More information about the cifs-protocol mailing list