Authentication through transitive trusts

Antti Andreimann Antti.Andreimann at mail.ee
Sat Jul 19 12:30:18 GMT 2003


Marc Kaplan wrote:

> Here are the steps I took:
> 1. Joined the ads domain
> 2. Ran a net ads status
> 3. Connect via smb (net use * \\sambaserver\share1) using the DC as a
> client i.e DC--conn--->Samba Server
> 4. Ran a net ads status.
>
> I'm attaching the result of 2. 4. and a diff of the two.

I looked at those entries and You seem to have exactly the problem I was
describing. If You could hold Your horses for a few hours I might be able
to step through by my office later this evening and post a patch for You to
try.
The reason You get demoted even for normal login from AD might be that You
are NOT using HMAC encryption (MIT kerberos 1.3 or later :).
Windows has a nasty bug in it's kerberos authentication system: It is unable
to use kerberos tickets of arbitary encryption from the command line (net
command). However it works well from the GUI (Start->Run->\\server\share).

Therefore it is likely that You have the following situation:
1. Samba refuses the ticket, cause it is invalid (buggy).
2. AD tries to re-connect with NTLM
3. Samba tries to authenticate the request against AD with NTLM
4. AD thinks Samba must be a NT4.0 server and demotes it.

Also it is a good idea to get KLIST.EXE and purge the tickets from windows
client when doing another net ads join. Othervise windows will have invalid
tickets in it's cache.

-- 
          Antti Andreimann
      Using Linux since 1993
  Member of ELUG since 29.01.2000




More information about the samba-technical mailing list