RFC/WIP: NTLMSSP passthrough + user at realm credentials

Uri Simchoni uri at samba.org
Thu Oct 20 17:20:25 UTC 2016

Hi Louis,

On 10/20/2016 05:09 PM, L.P.H. van Belle wrote:
> Hai uri, 
> Sorry to intrude your mail. I had a peak into your patch and bug report. 
> Can you test again with :
> net use \\FQDN\share /USER:user at realm
> Because these days everything must be in FQDN. 

I will try that and add to the bug description for completeness.

> Yes it can work but the you must open some policies in the windows client.
> Which you i think dont want. 

With a trio of Windows mahcines (client, file server, AD server), it
worked without any special policies (the client is not even joined).
Replacing the file server with a Samba ad-member server failed.

> And the format \user at REALM is unknown for me, is that really possible? 
> The format user/host.fqdn at REALM should work, but DOMAIN\user at REALM ? 

That's the on-the-wire format. The NTLM protocol has a domain name field
and a user name field. The \user at REALM notation means that the domain is
empty and the user is "user at REALM". How to get a device to send such
packets is device-specific.

As noted in the bug report, you can get packets looking like that from a
Windows client by using /USER:user at REALM in the "net use".

If the problem was limited to Windows client I'd just say "well don't do
it, use DOMAIN\user". However, as noted in the bug report, some devices
are incapable of populating both the domain and user fields during their
NTLMSSP handshake. In order to use domain credentials, the workaround is
to use user at REALM as user. The /USER:user at REALM is just a way to
conveniently reproduce this.

> The windows test server didnt have NPS running with a radius proxy? 
> If it did, then that can explain the allowed \user at REALM 
> https://technet.microsoft.com/en-us/library/cc755272(v=ws.10).aspx 

Default install on Windows AD server, file server, and client.

> Best regards, 
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba-technical [mailto:samba-technical-bounces at lists.samba.org]
>> Namens Uri Simchoni
>> Verzonden: donderdag 20 oktober 2016 14:07
>> Aan: samba-technical
>> Onderwerp: RFC/WIP: NTLMSSP passthrough + user at realm credentials
>> Hi,
>> The attached patch seems to fix
>> https://bugzilla.samba.org/show_bug.cgi?id=12375 - authenticating
>> clients by a member server using user at realm credentials.
>> In essence, the client passes an empty domain and upn at realm as user, and
>> those need to be passed untouched to the netlogon server.
>> The patch seems to make it work, but I feel I don't have the big
>> picture, and would like to receive comments on:
>> - Whether there are any flags to be looked at instead of the heuristic
>> that the domain is empty and user contains '@'
>> - If heuristic - do we already have functions to parse and classify a
>> user name
>> - Interaction with user mapping
>> - ... anything else.
>> I'll also do some more digging into the relevant [MS-xxx] docs.
>> Thanks,
>> Uri.

More information about the samba-technical mailing list