[cifs-protocol] [REG:114082011718524] 114082011718524 NTLM username / password routing on member servers and on an AD DC

Mon Sep 8 10:33:43 MDT 2014

Hi Andrew:
The answers to your questions is in MS-NRPC, specifically in sections "1.3.1 Pass-Through Authentication" and "1.3.2 Pass-Through Authentication and Domain Trusts".

I cannot advise you on how to implement this in your environment but I can tell you how Windows does it. 

As far as how windows does it, here is what happens in windows:

1. first it is determined if the server (machine receiving the ntlm authenticate message) is a member of a domain or not. If the server is not a member of a domain, then SAM is tried right away.
2. If the server is a member of the domain, netlogon is the default method. But before shipping the logon request to DC, the server tries the SAM first and in case of a failure, sends the request to DC.

I did not see any difference in processing when the server is just a member server or DC (non GC). 

I was not able to reproduce the situation in which a DC returns a non-authoritative response. I tried it in the situation where there is one root DC with two child DCs and a member server that is joined to one child domains. If you can please let me know a scenario where DC returns non-authoritative and I'll see what windows does.

I'll update you on the following question as I continue my investigation on rootDC:
1. does user have this SPN?

Regards,
Obaid Farooqi
Escalation Engineer | Microsoft

Exceeding your expectations is my highest priority.  If you would like to provide feedback on your case you may contact my manager at nkang at Microsoft dot com

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Saturday, August 30, 2014 3:44 AM
To: Obaid Farooqi
Cc: cifs-protocol at samba.org; MSSolve Case Email
Subject: Re: [REG:114082011718524] 114082011718524 NTLM username / password routing on member servers and on an AD DC

On Wed, 2014-08-27 at 18:41 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> I am still working on this issue. 
> I need just a little clarification. In the following paragraph from your question:
> 
> "
> It appears from our previous investigations that as a domain member, we should authenticate locally if the username in SERVER\user, then forward to a DC, and if the DC returns NO_SUCH_USER but not authoritative (a flag on the SamLogon reply), then to try and authenticate locally.
> "
> I think the part "... then to try and authenticate locally." does not sound right. Is it correct?

Yes, that is what we understand to be how windows works.  That after failing to log on the DC, if the DC replies without the 'authoritative'
flag in the SamLogon* call, that the local SAM should then be tried.

Samba doesn't do this (it should, one of the many bugs I should have addressed long ago), it instead tries to intuit what domains the DC
*would* give this reply do, by using the trusted domain list, but we understand this to be wrong.  There were threads on samba-technical about all this, I can did them up if it helps. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba