Authentication through transitive trusts
Marc Kaplan
MKaplan at snapappliance.com
Sat Jul 19 01:17:46 GMT 2003
On revision to:
> What I
> just found is that it doesn't matter if you connect with a
> downlevel client,
> the ldap record gets changed when ANY client tries to connect.
It's actually that when any client connects using NTLM. If a client tries a
kerberos connection, the machine account doesn't get destroyed. But even so
this is a very serious problem IMHO -- and it needs to be fixed.
-Marc
> -----Original Message-----
> From: Marc Kaplan
> Sent: Friday, July 18, 2003 3:29 PM
> To: 'Antti.Andreimann at mail.ee'; samba-technical at lists.samba.org
> Subject: RE: Authentication through transitive trusts
>
>
> I actually have noticed that the operatingSystem and the
> operatingSystemVersion change, but I never correlated it to
> anything. What I
> just found is that it doesn't matter if you connect with a
> downlevel client,
> the ldap record gets changed when ANY client tries to connect.
>
> Here are the steps I took:
> 1. Joined the ads domain
> 2. Ran a net ads status
> 3. Connect via smb (net use * \\sambaserver\share1) using the
> DC as a client
> i.e DC--conn--->Samba Server
> 4. Ran a net ads status.
>
> I'm attaching the result of 2. 4. and a diff of the two.
>
>
>
> > -----Original Message-----
> > From: Antti Andreimann [mailto:Antti.Andreimann at mail.ee]
> > Sent: Friday, July 18, 2003 1:50 PM
> > To: samba-technical at lists.samba.org
> > Subject: RE: Authentication through transitive trusts
> >
> >
> > Marc Kaplan wrote:
> >
> > > win2k->win2k uses Kerberos, and win2k->nt4 users NTLMSSP,
> > so it seems like
> > > the win2k box thinks the Samba Server is a downlevel client
> > (or at least
> > > only supports NTLM).
> >
> > I am sorry, I didn't catch the head of this thread, but have
> > You looked into
> > what AD thinks about the operating system of Your samba host.
> > I had a problem when AD automatically degraded samba to NT4.0
> > when it tried
> > to authenticate non-kerberos users against it with NTLM.
> > Naturally after
> > that none of the w2k hosts were able to use kerberos tickets
> > to connect to
> > samba any more.
> > You can check if this is the case when You look at the
> > machine LDAP entry by
> > executing net ads status (or was it net ads info, sorry I
> > seem to have an
> > altzheimer, and I don't have Samba3.0 box here at home to
> > look it up from).
> > If You do not see any attributes referring to kerberos principals
> > (HOST/hostname at REALM) then Your trust account has been
> > castrated by AD-s
> > "convenience features".
> >
> > I have a patch for that, but unfortunately I have not had
> > enough time to
> > clean up all the other bits as well prior to submitting them
> > to Andrew (I
> > know, the release time is ticking).
> >
> > --
> > Antti Andreimann
> > Using Linux since 1993
> > Member of ELUG since 29.01.2000
> >
>
>
More information about the samba-technical
mailing list