Authentication through transitive trusts

Antti Andreimann Antti.Andreimann at
Sat Jul 19 12:30:40 GMT 2003

Richard Sharpe wrote:

> On Fri, 18 Jul 2003, Ken Cross wrote:
>> Andrew et al:
>> Keep in mind that the origin of this issue was the fact that transitive
>> trusts weren't being followed.
>> I speculated that it was because Kerberos authentication wasn't being
>> performed.  I don't know that for a fact, but it seams reasonable.
> You are absolutely correct here. Samba responds in a way that forces the
> client to go straight to NTLMSSP rather than using the offered KRB5.
>> If that is the cause, then wouldn't "fixing up the kerberos case" be the
>> only solution?
> Correct. However, we have to figure out what we are doing wrong in the
> NegProt response that causes the client to ignore the offered KRB5.

I am not sure if the problem is in NegProt response at all.
It seems to me that w2k completely ignores the principial offered there and
uses the information it gets from AD instead.
There could be two reasons for that:
1. W2K does not understand the NegProt response it gets.
2. W2K is designed to ignore what server tells when AD is available.

Based on my previous experiences with microsoft stuff I'm assuming that case
two is more likley to be the correct one.

          Antti Andreimann
      Using Linux since 1993
  Member of ELUG since 29.01.2000

More information about the samba-technical mailing list