[cifs-protocol] [REG:114082011718524] 114082011718524 NTLM username / password routing on member servers and on an AD DC

[Andrew Bartlett]

On Wed, 2014-08-27 at 18:41 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> I am still working on this issue. 
> I need just a little clarification. In the following paragraph from your question:
> 
> "
> It appears from our previous investigations that as a domain member, we should authenticate locally if the username in SERVER\user, then forward to a DC, and if the DC returns NO_SUCH_USER but not authoritative (a flag on the SamLogon reply), then to try and authenticate locally.
> "
> I think the part "... then to try and authenticate locally." does not sound right. Is it correct?

Yes, that is what we understand to be how windows works.  That after
failing to log on the DC, if the DC replies without the 'authoritative'
flag in the SamLogon* call, that the local SAM should then be tried.

Samba doesn't do this (it should, one of the many bugs I should have
addressed long ago), it instead tries to intuit what domains the DC
*would* give this reply do, by using the trusted domain list, but we
understand this to be wrong.  There were threads on samba-technical
about all this, I can did them up if it helps. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba