Fallback to NTLMSSP allowed if KDC is not reachable?
Shilpa K
shilpa.krishnareddy at gmail.com
Fri Apr 30 10:42:31 UTC 2021
Hi Andreas,
Thanks for the response. I was using --user along with -k and provided the
password at the prompt. libnet_join_connect_dc_ipc() has fallback after
kerberos, but not ads_sasl_spnego_bind(). In the
routine ads_sasl_spnego_bind() which is called as part of domain join,
there is this check:
/* only fallback to NTLMSSP if allowed */
if (ADS_ERR_OK(status) ||
!(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
goto done;
}
It is checking only for the flag and not the password to fallback to
NTLMSSP. Is this expected?
Thanks,
Shilpa
On Fri, Apr 30, 2021 at 3:23 PM Andreas Schneider <asn at samba.org> wrote:
> On Friday, 30 April 2021 03:38:44 CEST Shilpa K via samba-technical wrote:
> > Hello,
> >
> > In one instance, port 88 was blocked while port 445 and port 139 were
> > allowed on the DC. In this scenario, when we tried to execute 'net ads
> join
> > -k', it was not working. But, with the below code modification, it will
> > fallback to NTLMSSP and works. Is it expected to fallback to NTLMSSP in
> net
> > ads commands if krb does not work?
>
> 'net ads join -k' without specifying a user/password, means that kerberos
> is
> required!
>
> If you specify a username/password it will fall back to an alternative.
>
> --
> Andreas Schneider asn at samba.org
> Samba Team www.samba.org
> GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
>
>
>
More information about the samba-technical
mailing list