Authentication through transitive trusts

Antti Andreimann Antti.Andreimann at
Sat Jul 19 12:30:18 GMT 2003

Marc Kaplan wrote:

> Here are the steps I took:
> 1. Joined the ads domain
> 2. Ran a net ads status
> 3. Connect via smb (net use * \\sambaserver\share1) using the DC as a
> client i.e DC--conn--->Samba Server
> 4. Ran a net ads status.
> I'm attaching the result of 2. 4. and a diff of the two.

I looked at those entries and You seem to have exactly the problem I was
describing. If You could hold Your horses for a few hours I might be able
to step through by my office later this evening and post a patch for You to
The reason You get demoted even for normal login from AD might be that You
are NOT using HMAC encryption (MIT kerberos 1.3 or later :).
Windows has a nasty bug in it's kerberos authentication system: It is unable
to use kerberos tickets of arbitary encryption from the command line (net
command). However it works well from the GUI (Start->Run->\\server\share).

Therefore it is likely that You have the following situation:
1. Samba refuses the ticket, cause it is invalid (buggy).
2. AD tries to re-connect with NTLM
3. Samba tries to authenticate the request against AD with NTLM
4. AD thinks Samba must be a NT4.0 server and demotes it.

Also it is a good idea to get KLIST.EXE and purge the tickets from windows
client when doing another net ads join. Othervise windows will have invalid
tickets in it's cache.

          Antti Andreimann
      Using Linux since 1993
  Member of ELUG since 29.01.2000

More information about the samba-technical mailing list