Fallback to NTLMSSP allowed if KDC is not reachable?

Andreas Schneider asn at samba.org
Fri Apr 30 14:31:06 UTC 2021

On Friday, 30 April 2021 12:42:31 CEST Shilpa K via samba-technical wrote:
> Hi Andreas,
> Thanks for the response. I was using --user along with -k and provided the
> password at the prompt. libnet_join_connect_dc_ipc() has fallback after
> kerberos, but not ads_sasl_spnego_bind(). In the
> routine ads_sasl_spnego_bind() which is called as part of domain join,
> there is this check:
>                 /* only fallback to NTLMSSP if allowed */
>                 if (ADS_ERR_OK(status) ||
>                     !(ads->auth.flags & ADS_AUTH_ALLOW_NTLMSSP)) {
>                         goto done;
>                 }
> It is checking only for the flag and not the password to fallback to
> NTLMSSP. Is this expected?

I would suggest to open a bug report. We could look into a fix, once the 
cmdline improvements are merged.


Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list