[Samba] Re: how to turn off NTLM?

Andrew Bartlett abartlet at samba.org
Sun Sep 29 06:40:01 GMT 2002

Donald Saltarelli wrote:
> Andrew, as you konw, I'm trying to get samba-3.0-alpha20 to authenticate
> a user that logs in to an AD domain workstation with the user's AD
> kerberos credentials. looking at the logs, it's not clear to me whether
> samba is trying to do kerberos or NTLM authentication for the client.

These logs indicate NTLM authenticaion.  Use 'auth methods = guest' to
ensure that Samba doesn't even try to authenticate users with NTLM.

> in smb.conf I have:
> [global]
>         security = ADS
>         realm = HSSOE.UCI.EDU
>         ads server = dc1.hssoe.uci.edu
>         lanman auth = no
>         ntlm auth = no
>         disable netbios = yes
>         use spnego = yes
> #       protocol =
> #       encrypt passwords = yes
>         ldap admin dn = Administrator
> How do i get it to only do GSS-SPNEGO or whatever it's called? Is this
> just not possible yet?

Win2k machines will use kerberos in preference to NTLM when possible.

> I noticed that in the log at some point it says realm(NULL). could the
> AD KDC be rejecting it because of that?
> Thanks for any help,
> Donald
> (time running out for this quarter's launch...)

Then I think you left your run a bit late...  This stuff is complex, why
didn't you start at this earlier...?  

Also, I'm still not particuarly clear on what you are doing - you have
an MIT kerberos realm, and a Win2k realm, but passwords are not

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba mailing list