Fallback to NTLMSSP allowed if KDC is not reachable?

Shilpa K shilpa.krishnareddy at gmail.com
Fri Apr 30 10:42:31 UTC 2021

Hi Andreas,

Thanks for the response. I was using --user along with -k and provided the
password at the prompt. libnet_join_connect_dc_ipc() has fallback after
kerberos, but not ads_sasl_spnego_bind(). In the
routine ads_sasl_spnego_bind() which is called as part of domain join,
there is this check:

                /* only fallback to NTLMSSP if allowed */
                if (ADS_ERR_OK(status) ||
                    !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
                        goto done;

It is checking only for the flag and not the password to fallback to
NTLMSSP. Is this expected?


On Fri, Apr 30, 2021 at 3:23 PM Andreas Schneider <asn at samba.org> wrote:

> On Friday, 30 April 2021 03:38:44 CEST Shilpa K via samba-technical wrote:
> > Hello,
> >
> > In one instance, port 88 was blocked while port 445 and port 139 were
> > allowed on the DC. In this scenario, when we tried to execute 'net ads
> join
> > -k', it was not working. But, with the below code modification, it will
> > fallback to NTLMSSP and works. Is it expected to fallback to NTLMSSP in
> net
> > ads commands if krb does not work?
> 'net ads join -k' without specifying a user/password, means that kerberos
> is
> required!
> If you specify a username/password it will fall back to an alternative.
> --
> Andreas Schneider                      asn at samba.org
> Samba Team                             www.samba.org
> GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list