Patch for Samba 3.0 to allow machine logins on NTLMSSP and PEAP

Andrew Bartlett abartlet at samba.org
Sat Oct 29 08:40:22 GMT 2005


On Fri, 2005-10-28 at 22:06 -0700, Jeremy Allison wrote:
> On Sat, Oct 29, 2005 at 01:21:17PM +1000, Andrew Bartlett wrote:
> > This patch allows Samba3 to process machine account logins via
> > ntlm_auth, as required for PEAP (and 802.11x) as well as for the new
> > Samba3 client behaviour (where we try an NTLMSSP sealed pipe).
> > 
> > Only pre-NTLMSSP CIFS logins are denied this behaviour, due to early NT
> > clients.  The idea is to match current Win2k3 behaviour in the client
> > and server.
> > 
> > I've tested this with winbindd to a Win2k3 domain, but not the
> > Samba-server side of things yet, but I wanted to get the patch 'out
> > there' for review.  It does change the winbindd protocol again
> > (sorry...)
> > 
> > (I already have the server-side of this in Samba4, and tested).
> 
> Thanks for this Andrew - much appreciated ! what did you use to test
> the Samba4 server side code and can I use it to test the Samba3 version
> you've added here ?

I used RPC-SAMLOGON.  This should work, but you might want to remove the
user@ and realm based logon forms from the test list, because Samba3
can't support them.

For the NTLMSSP layer, you can just grab a machine account from
secrets.ldb/tdb and use smbclient.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051029/ce57ab04/attachment.bin


More information about the samba-technical mailing list