Authentication through transitive trusts
Andrew Bartlett
abartlet at samba.org
Fri Jul 18 23:23:10 GMT 2003
On Fri, Jul 18, 2003 at 10:04:36AM -0700, Marc Kaplan wrote:
> Ken,
>
> I looked at this again, and what I'm seeing is that Samba is successful
> enumerating all of the sequence numbers, users, and groups from the
> transitive trusts, but like you said -- client's cannot authenticate. I'm
> seeing the same thing as you, Win2k client is using NTLMSSP rather than
> Kerberos. Though it is important to note that my Win2k clients from all
> domains (not just transitive trusts) are using NTLMSSP to authenticate. I
> need to go back an try this with the latest Samba, since I'm using a dated
> version, but since you're seeing the same thing, I would guess that nothing
> has changed.
>
> win2k->win2k uses Kerberos, and win2k->nt4 users NTLMSSP, so it seems like
> the win2k box thinks the Samba Server is a downlevel client (or at least
> only supports NTLM).
For NTLM we have to rely on the PDC for our domain to do the authentication
unlike for user enumeration, we cannot contact the domain outselves. This
is probably what is causing this problem.
Try doing NLTM authentication against a win2k domain member in this situation,
perhaps they do a slightly different login requires to the PDC (you might need
to disable 'sign or seal' on the win2k cleints to see the channel straffic.
Andrew Bartlett
More information about the samba-technical
mailing list