[PATCHES] smbd: support NTLM pass-through with \user at realm credentials

Andrew Bartlett abartlet at samba.org
Mon Oct 24 21:49:42 UTC 2016

On Sun, 2016-10-23 at 10:10 +0300, Uri Simchoni wrote:
> Hi,
> Following previous comments, attached pls find a proposed patch set.
> - user mapping indeed should not be affected
> - the winbindd fix covers a wider set of cases, hopefully it doesn't
> break anything (passes make test)
> - although similar fixes to client side are underway, smbtorture (s4
> client lib) already supports generating such credentials, so the test
> is
> simple. The bug lists an existing smbtorture command that passes
> against
> Windows with user at realm credentials.

This looks correct, pushing this out to our primary DC is the right
answer.  For extra bonus points, it would be great to see a test for
NTLM login against some of the accounts we test in the krb5.kdc test
with.  These have a UPN that is not related to the actual realm.  See
the testallowed and testdenied user in particular. 

This will be nice and tricky to sort out when we get proper trusted
domain support, we will need routing logic like we have in the KDC

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   

More information about the samba-technical mailing list