Authentication through transitive trusts
rsharpe at richardsharpe.com
Sat Jul 19 15:27:33 GMT 2003
On Sat, 19 Jul 2003, Antti Andreimann wrote:
> >> I speculated that it was because Kerberos authentication wasn't being
> >> performed. I don't know that for a fact, but it seams reasonable.
> > You are absolutely correct here. Samba responds in a way that forces the
> > client to go straight to NTLMSSP rather than using the offered KRB5.
> >> If that is the cause, then wouldn't "fixing up the kerberos case" be the
> >> only solution?
> > Correct. However, we have to figure out what we are doing wrong in the
> > NegProt response that causes the client to ignore the offered KRB5.
> I am not sure if the problem is in NegProt response at all.
> It seems to me that w2k completely ignores the principial offered there and
> uses the information it gets from AD instead.
> There could be two reasons for that:
> 1. W2K does not understand the NegProt response it gets.
> 2. W2K is designed to ignore what server tells when AD is available.
> Based on my previous experiences with microsoft stuff I'm assuming that case
> two is more likley to be the correct one.
OK, I had not considered that. Samba sent back a reasonable looking
principle in the trace I have access to. hostname$@WIN1DOM.LOCAL
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org,
More information about the samba-technical