Authentication through transitive trusts
Marc Kaplan
MKaplan at snapappliance.com
Fri Jul 18 22:29:01 GMT 2003
I actually have noticed that the operatingSystem and the
operatingSystemVersion change, but I never correlated it to anything. What I
just found is that it doesn't matter if you connect with a downlevel client,
the ldap record gets changed when ANY client tries to connect.
Here are the steps I took:
1. Joined the ads domain
2. Ran a net ads status
3. Connect via smb (net use * \\sambaserver\share1) using the DC as a client
i.e DC--conn--->Samba Server
4. Ran a net ads status.
I'm attaching the result of 2. 4. and a diff of the two.
> -----Original Message-----
> From: Antti Andreimann [mailto:Antti.Andreimann at mail.ee]
> Sent: Friday, July 18, 2003 1:50 PM
> To: samba-technical at lists.samba.org
> Subject: RE: Authentication through transitive trusts
>
>
> Marc Kaplan wrote:
>
> > win2k->win2k uses Kerberos, and win2k->nt4 users NTLMSSP,
> so it seems like
> > the win2k box thinks the Samba Server is a downlevel client
> (or at least
> > only supports NTLM).
>
> I am sorry, I didn't catch the head of this thread, but have
> You looked into
> what AD thinks about the operating system of Your samba host.
> I had a problem when AD automatically degraded samba to NT4.0
> when it tried
> to authenticate non-kerberos users against it with NTLM.
> Naturally after
> that none of the w2k hosts were able to use kerberos tickets
> to connect to
> samba any more.
> You can check if this is the case when You look at the
> machine LDAP entry by
> executing net ads status (or was it net ads info, sorry I
> seem to have an
> altzheimer, and I don't have Samba3.0 box here at home to
> look it up from).
> If You do not see any attributes referring to kerberos principals
> (HOST/hostname at REALM) then Your trust account has been
> castrated by AD-s
> "convenience features".
>
> I have a patch for that, but unfortunately I have not had
> enough time to
> clean up all the other bits as well prior to submitting them
> to Andrew (I
> know, the release time is ticking).
>
> --
> Antti Andreimann
> Using Linux since 1993
> Member of ELUG since 29.01.2000
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diffafterjoin.out
Type: application/octet-stream
Size: 492 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030718/45b3fab1/diffafterjoin.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: afterdcconn.out
Type: application/octet-stream
Size: 6639 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030718/45b3fab1/afterdcconn.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: afterjoin.out
Type: application/octet-stream
Size: 6763 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030718/45b3fab1/afterjoin.obj
More information about the samba-technical
mailing list