Samba4 - NO delegated credentials error seen intermittently

Andrew Bartlett abartlet at samba.org
Thu Nov 6 05:34:10 GMT 2008


On Thu, 2008-11-06 at 03:04 +0530, priya sehgal wrote:
> Hello,
> I have configured my samba server (samba)to work as CIFS Proxy Server,
> in a Windows 2k3 domain. CIFS Proxy server is also "Trusted for Delegation"
> on the Windows 2K3. I was able to access the backend CIFS Servers,
> through my proxy w/o any problem sometimes.
> 
> But, I am seeing the following error intermittently
> 
> "CIFS backend: NO delegated credentials found: You must supply server, user and password or the client must supply delegated credentials
> make_connection: NTVFS make connection failed!"
> 
> The smbd logs are as follows. Please let me know what extra care needs to
> be taken and how can it be fixed?
> 

> ENTER cvfs_disconnect
> Got NTLMSSP neg_flags=0xe2088297
> Got user=[Administrator] domain=[PRIYADOMAIN] workstation=[PRIYA] len1=24 len2=24
> auth_check_password_send:  Checking password for unmapped user [PRIYADOMAIN]\[Administrator]@[PRIYA]
> auth_check_password_send:  mapped user is: [PRIYADOMAIN]\[Administrator]@[PRIYA]
> ENTER cvfs_connect
> CIFS backend: NO delegated credentials found: You must supply server, user and password or the client must supply delegated credentials
> make_connection: NTVFS make connection failed!

It seems to me that the client in this case has, for some reason, chosen
to authenticate to the server with NTLMSSP.  This is not compatible with
the forwarding proxy (at the moment - there are hackish options possibly
available, but they would be hacks at best).

Reasons for ntlmssp fallback include:
 - access to the server by IP address
 - access to the server by a workstation local (not domain) user
 - clock skew between the client and KDC

Look into those reasons, and perhaps a network trace if things are still
unclear. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20081106/245621bb/attachment.bin


More information about the samba-technical mailing list