Authentication through transitive trusts

Marc Kaplan MKaplan at snapappliance.com
Fri Jul 18 22:29:01 GMT 2003 

I actually have noticed that the operatingSystem and the
operatingSystemVersion change, but I never correlated it to anything. What I
just found is that it doesn't matter if you connect with a downlevel client,
the ldap record gets changed when ANY client tries to connect. 

Here are the steps I took:
1. Joined the ads domain
2. Ran a net ads status
3. Connect via smb (net use * \\sambaserver\share1) using the DC as a client
i.e DC--conn--->Samba Server
4. Ran a net ads status.

I'm attaching the result of 2. 4. and a diff of the two.



> -----Original Message-----
> From: Antti Andreimann [mailto:Antti.Andreimann at mail.ee]
> Sent: Friday, July 18, 2003 1:50 PM
> To: samba-technical at lists.samba.org
> Subject: RE: Authentication through transitive trusts
> 
> 
> Marc Kaplan wrote:
> 
> > win2k->win2k uses Kerberos, and win2k->nt4 users NTLMSSP, 
> so it seems like
> > the win2k box thinks the Samba Server is a downlevel client 
> (or at least
> > only supports NTLM).
> 
> I am sorry, I didn't catch the head of this thread, but have 
> You looked into
> what AD thinks about the operating system of Your samba host.
> I had a problem when AD automatically degraded samba to NT4.0 
> when it tried
> to authenticate non-kerberos users against it with NTLM. 
> Naturally after
> that none of the w2k hosts were able to use kerberos tickets 
> to connect to
> samba any more.
> You can check if this is the case when You look at the 
> machine LDAP entry by
> executing net ads status (or was it net ads info, sorry I 
> seem to have an
> altzheimer, and I don't have Samba3.0 box here at home to 
> look it up from).
> If You do not see any attributes referring to kerberos principals
> (HOST/hostname at REALM) then Your trust account has been 
> castrated by AD-s
> "convenience features".
> 
> I have a patch for that, but unfortunately I have not had 
> enough time to
> clean up all the other bits as well prior to submitting them 
> to Andrew (I
> know, the release time is ticking).
> 
> -- 
>               Antti Andreimann
>          Using Linux since 1993
>   Member of ELUG since 29.01.2000
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: diffafterjoin.out
Type: application/octet-stream
Size: 492 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030718/45b3fab1/diffafterjoin.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: afterdcconn.out
Type: application/octet-stream
Size: 6639 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030718/45b3fab1/afterdcconn.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: afterjoin.out
Type: application/octet-stream
Size: 6763 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030718/45b3fab1/afterjoin.obj

More information about the samba-technical mailing list