Fallback to NTLMSSP allowed if KDC is not reachable?
Andreas Schneider
asn at samba.org
Fri Apr 30 14:31:06 UTC 2021
On Friday, 30 April 2021 12:42:31 CEST Shilpa K via samba-technical wrote:
> Hi Andreas,
>
> Thanks for the response. I was using --user along with -k and provided the
> password at the prompt. libnet_join_connect_dc_ipc() has fallback after
> kerberos, but not ads_sasl_spnego_bind(). In the
> routine ads_sasl_spnego_bind() which is called as part of domain join,
> there is this check:
>
> /* only fallback to NTLMSSP if allowed */
> if (ADS_ERR_OK(status) ||
> !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
> goto done;
> }
>
> It is checking only for the flag and not the password to fallback to
> NTLMSSP. Is this expected?
I would suggest to open a bug report. We could look into a fix, once the
cmdline improvements are merged.
Andreas
--
Andreas Schneider asn at samba.org
Samba Team www.samba.org
GPG-ID: 8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D
More information about the samba-technical
mailing list