Samba4 - NO delegated credentials error seen intermittently

priya sehgal priyagps at yahoo.co.in
Thu Nov 6 17:16:14 GMT 2008 

Hello Andrew,
Thanks. I was trying to access my samba cifs proxy through ip address and hence the NTLMSSP problem.
But, in my scenario, few of the windows clients in the Win2k3 domain wish to access the proxy using the IP address and therefore NTLM SSP authentication will come into play. 

Can you suggest me the hack you mentioned in your reply. 
May be I can try and get it working for this scenario. 

Thanks and Regards,
Priya 

--- On Thu, 11/6/08, Andrew Bartlett <abartlet at samba.org> wrote:

> From: Andrew Bartlett <abartlet at samba.org>
> Subject: Re: Samba4 - NO delegated credentials error seen intermittently
> To: priyagps at yahoo.co.in
> Cc: samba-technical at lists.samba.org
> Date: Thursday, November 6, 2008, 11:04 AM
> On Thu, 2008-11-06 at 03:04 +0530, priya sehgal wrote:
> > Hello,
> > I have configured my samba server (samba)to work as
> CIFS Proxy Server,
> > in a Windows 2k3 domain. CIFS Proxy server is also
> "Trusted for Delegation"
> > on the Windows 2K3. I was able to access the backend
> CIFS Servers,
> > through my proxy w/o any problem sometimes.
> > 
> > But, I am seeing the following error intermittently
> > 
> > "CIFS backend: NO delegated credentials found:
> You must supply server, user and password or the client must
> supply delegated credentials
> > make_connection: NTVFS make connection failed!"
> > 
> > The smbd logs are as follows. Please let me know what
> extra care needs to
> > be taken and how can it be fixed?
> > 
> 
> > ENTER cvfs_disconnect
> > Got NTLMSSP neg_flags=0xe2088297
> > Got user=[Administrator] domain=[PRIYADOMAIN]
> workstation=[PRIYA] len1=24 len2=24
> > auth_check_password_send:  Checking password for
> unmapped user [PRIYADOMAIN]\[Administrator]@[PRIYA]
> > auth_check_password_send:  mapped user is:
> [PRIYADOMAIN]\[Administrator]@[PRIYA]
> > ENTER cvfs_connect
> > CIFS backend: NO delegated credentials found: You must
> supply server, user and password or the client must supply
> delegated credentials
> > make_connection: NTVFS make connection failed!
> 
> It seems to me that the client in this case has, for some
> reason, chosen
> to authenticate to the server with NTLMSSP.  This is not
> compatible with
> the forwarding proxy (at the moment - there are hackish
> options possibly
> available, but they would be hacks at best).
> 
> Reasons for ntlmssp fallback include:
>  - access to the server by IP address
>  - access to the server by a workstation local (not domain)
> user
>  - clock skew between the client and KDC
> 
> Look into those reasons, and perhaps a network trace if
> things are still
> unclear. 
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team          
> http://samba.org
> Samba Developer, Red Hat Inc.                 
> http://redhat.com

More information about the samba-technical mailing list