[PATCH] ADS "demote" fix

Andrew Bartlett abartlet at samba.org
Sun Jul 20 06:28:19 GMT 2003


On Sun, 2003-07-20 at 11:55, Antti Andreimann wrote:
> Hi!
> 
> Problem description:
> When non-kerberos client connects to samba the trust account in AD gets
> demoted to NT4.0 and kerberos tickets cease to work.
> 
> Proposed solution:
> Disable winbind:domain authentication and use smbserver authentication
> instead in source/auth/auth.c

This is *compleatly* the wrong solution.  It will only cause problems -
the smbserver authentication is not suitable for use in this situation. 
See the documentation on 'security=server'.

We need to look into how we interact with AD, to find the correct
schannel/netlogon sequence.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030720/0221c4a9/attachment.bin


More information about the samba-technical mailing list