SAMBA3.5pre2-Does map untrusted to domain work?

Heinrich Mislik Heinrich.Mislik at univie.ac.at
Tue Mar 30 06:07:40 MDT 2010


On 07 Jan 2010 at 13:45, "MICHAEL BROWN" <mbrown at mesainc.com> Wrote:

> > What you described in your email is the new intended behavior. If your
> > client is not joined to the domain, and you want to authenticate to a
> > member Samba server with a domain user, you must explicitly specify the
> > domain of that user on the client machine.  This is the
> > new-matches-Windows behavior.

> I have a question on this, if you don't mind.  If this matches
> the Windows behavior, how is it that an XP machine that is not
> joined to AD can map a network share, browse that AD server machine,
> etc., without having to also specify the domain with the user.
> Meaning, the Windows 2008 R2 AD machine will recognize me (being in AD)
> when I do a "search", or "net use", etc., to a share on the 2008 
> machine.  Again, that XP machine is not joined to the 2008 AD
> environment but will authenticate without the domain name.   

I have seen the same behaviour and found that "map untrusted to 
domain" is not compatible with NTLMv2. Try to disable NTLMv2 on your 
client (see http://support.microsoft.com/kb/147706/en-us) and it 
should work. Older versions of XP by default do not use NTLMv2. 
That's why XP often works.

The reason is, that with NTLMv2 the full domain\username is used for 
the response hashes.

The real strange thing is, that Windows behaves in different ways as 
follows:

net use \\host\domain /u:user password 

This sends an empty domain and works.

net use \\host\domain /u:user

Sends the name of the Memberserver and fails, because the user is not 
in the local sam.

Using GUI sends the name of the client and fails.

Cheers

Heinrich
-- 
Heinrich Mislik
Zentraler Informatikdienst der Universitaet Wien
A-1010 Wien, Universitaetsstrasse 7
Tel.: (+43 1) 4277-14056, Fax: (+43 1) 4277-9140



More information about the samba-technical mailing list