Delegated credentials with netbios aliases
Andrew Bartlett
abartlet at samba.org
Tue Jan 8 21:52:40 GMT 2008
On Tue, 2008-01-08 at 15:19 +0000, Amin Azez wrote:
> To answer my own question (for the archives); having spent two days
> tracing and debugging samba I find that the netbios name is not
> presented until after credentials and identities have been negotiated
> and in fact the problem of delegating credentials to netbios aliases
> cannot be solved by Samba.
Correct. A client might see netbios aliases we answer for, or there may
be DNS entries that point to us, but windows clients will not do
anything to figure out what the 'true' DNS name is (MIT Kerberos clients
however will...).
The KDC is expected to know all names that a server may go by, and
return an appropriate ticket. When it doesn't know the server by that
name, you get the NTLMSSP fallback you noticed.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080109/c2c7cd19/attachment.bin
More information about the samba-technical
mailing list