[Samba] Re: ADS valid users can't map share
Igor Belyi
sambauser at katehok.ac93.org
Wed Oct 20 18:07:16 GMT 2004
Igor Belyi wrote:
> Gerald (Jerry) Carter wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Igor Belyi wrote:
>>
>> | No, wait! Samba checks only the first OID! And this is the
>> | reason for NTLM! Here's the comment from source/smbd/sesssetup.c:
>> |
>> | /* only look at the first OID for determining the mechToken --
>> | accoirding to RFC2478, we should choose the one we want
>> | and renegotiate, but i smell a client bug here..
>> |
>> | Problem observed when connecting to a member (samba box)
>> | of an AD domain as a user in a Samba domain. Samba member
>> | server sent back krb5/mskrb5/ntlmssp as mechtypes, but the
>> | client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an
>> | NTLMSSP mechtoken. --jerry */
>> |
>> | Jerry, that's your comment, right? :)
>>
>> Yup. That's my change. But since the NTLM authentication
>> is succeeding, then I'll assume that the token sent back
>> was an NTLMSSP tocken as well. So for some reason the client
>> either can't or won't obtain a ticket for the Samba server.
>>
>
> Do you mean NTLM got negotiated earlier than that code? Or that client
> obtains Kerberos tickets directly from security server and then just
> passes them to Samba server? Where those OIDs corresponding to
> Kerberos come from then?
>
> I don't have ADS and I never saw one. I apologize if my questions are
> naive.
>
> Thanks,
> Igor
>
>> DNS reverse mapping glitch perhaps?
>
Do you mean it can be related to the machine's domain not being the same
as Realm? The corresponding bug:
https://bugzilla.samba.org/show_bug.cgi?id=1651
I just don't know what symptoms may result in this mismatch. Will Samba
fall back to NTLM if Kerberos authentication is unsuccesful? What else
Greg should check to find the reason of failure?
Thanks,
Igor
More information about the samba
mailing list