Authentication through transitive trusts

Antti Andreimann Antti.Andreimann at mail.ee
Fri Jul 18 20:50:02 GMT 2003


Marc Kaplan wrote:

> win2k->win2k uses Kerberos, and win2k->nt4 users NTLMSSP, so it seems like
> the win2k box thinks the Samba Server is a downlevel client (or at least
> only supports NTLM).

I am sorry, I didn't catch the head of this thread, but have You looked into
what AD thinks about the operating system of Your samba host.
I had a problem when AD automatically degraded samba to NT4.0 when it tried
to authenticate non-kerberos users against it with NTLM. Naturally after
that none of the w2k hosts were able to use kerberos tickets to connect to
samba any more.
You can check if this is the case when You look at the machine LDAP entry by
executing net ads status (or was it net ads info, sorry I seem to have an
altzheimer, and I don't have Samba3.0 box here at home to look it up from).
If You do not see any attributes referring to kerberos principals
(HOST/hostname at REALM) then Your trust account has been castrated by AD-s
"convenience features".

I have a patch for that, but unfortunately I have not had enough time to
clean up all the other bits as well prior to submitting them to Andrew (I
know, the release time is ticking).

-- 
              Antti Andreimann
         Using Linux since 1993
  Member of ELUG since 29.01.2000




More information about the samba-technical mailing list