Authenticating users using another domain's PDC?

Carrie Coy carriec at doc.state.vt.us
Wed Nov 29 21:16:50 GMT 2000 

We're a state agency that would like to provide authenticated web access to
employees of another department (different NT domain).

Currently we happily use Apache::Authen::Smb (based on the smbval library)
to authenticate our users.  I'd like to use the other department's PDC to
authenticate their users.  Could it be that simple?  (There are no firewall
considerations).

I tried pointing Authen::Smb at their PDC to authenticate one of their
users, and got an NTV_PROTOCOL_ERROR resulting from the following code in
valid.c:

/* Test for a server in share level mode do not authenticate against it */
  if (con -> Security == 0)
    {
      SMB_Discon(con,0);
            return(NTV_PROTOCOL_ERROR);
    }

What exactly does this mean?  Is it a setting that can be changed?  When I
comment out these lines, their PDC returns NTV_NO_ERROR even if the supplied
password is intentionally bogus.

I monitored the failed authentication challenge using tcpdump and I see a
reasonable conversation that resembles a successful authentication -- not
being a tcpdump guru, I'm not sure if it contains any hidden clues (see
below).

Any advice is most welcome.
--
Carrie Coy


tcpdump of authentication challenge that produces NTV_PROTOCOL_ERROR:

16:04:13.707463 eth0 > mail1.1205 > wtrbry.netbios-ssn: S
041054284:4041054284(
0) win 32120 <mss 1460,sackOK,timestamp 115127474 0,nop,wscale 0> (DF)

16:04:13.709940 eth0 < wtrbry.netbios-ssn > mail1.1205: S
483337729:2483337729(
0) ack 4041054285 win 12288 <mss 1460>

16:04:13.709992 eth0 > mail1.1205 > wtrbry.netbios-ssn: . 1:1(0) ack 1 win
32120
 (DF)

16:04:13.710063 eth0 > mail1.1205 > wtrbry.netbios-ssn: P 1:73(72) ack 1 win
321
20>>> NBT (DF)

16:04:13.776661 eth0 < wtrbry.netbios-ssn > mail1.1205: . 1:1(0) ack 73 win
1228
8

16:04:13.875489 eth0 < wtrbry.netbios-ssn > mail1.1205: P 1:5(4) ack 73 win
1228
8>>> NBT

16:04:13.875515 eth0 > mail1.1205 > wtrbry.netbios-ssn: . 73:73(0) ack 5 win
321
20 (DF)

16:04:13.875567 eth0 > mail1.1205 > wtrbry.netbios-ssn: P 73:241(168) ack 5
win
32120>>> NBT (DF)

16:04:13.882143 eth0 < wtrbry.netbios-ssn > mail1.1205: P 5:78(73) ack 241
win 1
2288>>> NBT

16:04:13.882324 eth0 > mail1.1205 > wtrbry.netbios-ssn: F 241:241(0) ack 78
win
32120 (DF)

16:04:13.884178 eth0 < wtrbry.netbios-ssn > mail1.1205: . 78:78(0) ack 242
win 1
2288

16:04:13.885429 eth0 < wtrbry.netbios-ssn > mail1.1205: F 78:78(0) ack 242
win 1
2288

16:04:13.885449 eth0 > mail1.1205 > wtrbry.netbios-ssn: . 242:242(0) ack 79
win
32120 (DF)

More information about the samba mailing list