Fallback to NTLMSSP allowed if KDC is not reachable?

Shilpa K shilpa.krishnareddy at gmail.com
Fri Apr 30 01:38:44 UTC 2021


Hello,

In one instance, port 88 was blocked while port 445 and port 139 were
allowed on the DC. In this scenario, when we tried to execute 'net ads join
-k', it was not working. But, with the below code modification, it will
fallback to NTLMSSP and works. Is it expected to fallback to NTLMSSP in net
ads commands if krb does not work?

Thanks,
Shilpa

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 23ab0f9133..0d94ce692e 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -297,6 +297,8 @@ retry:
                }
        }

+       ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+
        status = ads_connect(ads);

        if (!ADS_ERR_OK(status)) {

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 103120d8ec..53875fb946 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -152,6 +152,8 @@ static ADS_STATUS libnet_connect_ads(const char
*ad_domain_name,
                my_ads->auth.password = SMB_STRDUP(password);
        }

+       my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
+
        status = ads_connect_user_creds(my_ads);
        if (!ADS_ERR_OK(status)) {
                ads_destroy(&my_ads);


More information about the samba-technical mailing list