[PATCHES] smbd: support NTLM pass-through with \user at realm credentials

Uri Simchoni uri at samba.org
Tue Oct 25 05:51:13 UTC 2016

On 10/25/2016 12:49 AM, Andrew Bartlett wrote:
> On Sun, 2016-10-23 at 10:10 +0300, Uri Simchoni wrote:
>> Hi,
>> Following previous comments, attached pls find a proposed patch set.
>> - user mapping indeed should not be affected
>> - the winbindd fix covers a wider set of cases, hopefully it doesn't
>> break anything (passes make test)
>> - although similar fixes to client side are underway, smbtorture (s4
>> client lib) already supports generating such credentials, so the test
>> is
>> simple. The bug lists an existing smbtorture command that passes
>> against
>> Windows with user at realm credentials.
> This looks correct, pushing this out to our primary DC is the right
> answer.  For extra bonus points, it would be great to see a test for
> NTLM login against some of the accounts we test in the krb5.kdc test
> with.  These have a UPN that is not related to the actual realm.  See
> the testallowed and testdenied user in particular. 
Hopefully I'll get around to it soon. It's also interesting to verify
that after successful auth, smbd treats the user as
DOMAIN\samaccountname, irrespective of the original credentials (I
verified this to be true manually)

> This will be nice and tricky to sort out when we get proper trusted
> domain support, we will need routing logic like we have in the KDC
> code. 
Do you mean that the member server needs to sort this out? In Kerberos
at least, the DC does this by returning a TGT to the "next" KDC.


More information about the samba-technical mailing list