[cifs-protocol] [REG:114082011718524] 114082011718524 NTLM username / password routing on member servers and on an AD DC

Andrew Bartlett abartlet at samba.org
Mon Sep 8 18:30:13 MDT 2014

On Mon, 2014-09-08 at 16:33 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> The answers to your questions is in MS-NRPC, specifically in sections "1.3.1 Pass-Through Authentication" and "1.3.2 Pass-Through Authentication and Domain Trusts".
> I cannot advise you on how to implement this in your environment but I can tell you how Windows does it. 
> As far as how windows does it, here is what happens in windows:
> 1. first it is determined if the server (machine receiving the ntlm
> authenticate message) is a member of a domain or not. If the server is
> not a member of a domain, then SAM is tried right away.
> 2. If the server is a member of the domain, netlogon is the default
> method. But before shipping the logon request to DC, the server tries
> the SAM first and in case of a failure, sends the request to DC.


> I did not see any difference in processing when the server is just a member server or DC (non GC). 

How does the DC work out what Domain to send it to, when it is one of
many domains in a complex trusted domain tree?

> I was not able to reproduce the situation in which a DC returns a
> non-authoritative response. I tried it in the situation where there is
> one root DC with two child DCs and a member server that is joined to
> one child domains. If you can please let me know a scenario where DC
> returns non-authoritative and I'll see what windows does.

This happens, apparently, when logging on to a domain that doesn't
actually exist (eg, an unrelated random name as the domain or

> I'll update you on the following question as I continue my investigation on rootDC:
> 1. does user have this SPN?


Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the cifs-protocol mailing list