Authentication through transitive trusts

Andrew Bartlett abartlet at
Fri Jul 18 23:23:10 GMT 2003

On Fri, Jul 18, 2003 at 10:04:36AM -0700, Marc Kaplan wrote:
> Ken,
> I looked at this again, and what I'm seeing is that Samba is successful
> enumerating all of the sequence numbers, users, and groups from the
> transitive trusts, but like you said -- client's cannot authenticate. I'm
> seeing the same thing as you, Win2k client is using NTLMSSP rather than
> Kerberos.  Though it is important to note that my Win2k clients from all
> domains (not just transitive trusts) are using NTLMSSP to authenticate. I
> need to go back an try this with the latest Samba, since I'm using a dated
> version, but since you're seeing the same thing, I would guess that nothing
> has changed.
> win2k->win2k uses Kerberos, and win2k->nt4 users NTLMSSP, so it seems like
> the win2k box thinks the Samba Server is a downlevel client (or at least
> only supports NTLM).

For NTLM we have to rely on the PDC for our domain to do the authentication 
unlike for user enumeration, we cannot contact the domain outselves.  This
is probably what is causing this problem.

Try doing NLTM authentication against a win2k domain member in this situation,
perhaps they do a slightly different login requires to the PDC (you might need
to disable 'sign or seal' on the win2k cleints to see the channel straffic.

Andrew Bartlett

More information about the samba-technical mailing list