Authentication through transitive trusts

Richard Sharpe rsharpe at
Sat Jul 19 15:27:33 GMT 2003

On Sat, 19 Jul 2003, Antti Andreimann wrote:

> >> I speculated that it was because Kerberos authentication wasn't being
> >> performed.  I don't know that for a fact, but it seams reasonable.
> > 
> > You are absolutely correct here. Samba responds in a way that forces the
> > client to go straight to NTLMSSP rather than using the offered KRB5.
> >  
> >> If that is the cause, then wouldn't "fixing up the kerberos case" be the
> >> only solution?
> > 
> > Correct. However, we have to figure out what we are doing wrong in the
> > NegProt response that causes the client to ignore the offered KRB5.
> I am not sure if the problem is in NegProt response at all.
> It seems to me that w2k completely ignores the principial offered there and
> uses the information it gets from AD instead.
> There could be two reasons for that:
> 1. W2K does not understand the NegProt response it gets.
> 2. W2K is designed to ignore what server tells when AD is available.
> Based on my previous experiences with microsoft stuff I'm assuming that case
> two is more likley to be the correct one.

OK, I had not considered that. Samba sent back a reasonable looking 
principle in the trace I have access to. hostname$@WIN1DOM.LOCAL

Richard Sharpe, rsharpe[at], rsharpe[at], 

More information about the samba-technical mailing list