[Samba] Re: ADS valid users can't map share
Greg Adams
gadams at gmail.com
Fri Oct 22 18:24:48 GMT 2004
So am I up a creek on this issue?
Greg
On Wed, 20 Oct 2004 14:07:16 -0400, Igor Belyi
<sambauser at katehok.ac93.org> wrote:
> Igor Belyi wrote:
>
>
>
> > Gerald (Jerry) Carter wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Igor Belyi wrote:
> >>
> >> | No, wait! Samba checks only the first OID! And this is the
> >> | reason for NTLM! Here's the comment from source/smbd/sesssetup.c:
> >> |
> >> | /* only look at the first OID for determining the mechToken --
> >> | accoirding to RFC2478, we should choose the one we want
> >> | and renegotiate, but i smell a client bug here..
> >> |
> >> | Problem observed when connecting to a member (samba box)
> >> | of an AD domain as a user in a Samba domain. Samba member
> >> | server sent back krb5/mskrb5/ntlmssp as mechtypes, but the
> >> | client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an
> >> | NTLMSSP mechtoken. --jerry */
> >> |
> >> | Jerry, that's your comment, right? :)
> >>
> >> Yup. That's my change. But since the NTLM authentication
> >> is succeeding, then I'll assume that the token sent back
> >> was an NTLMSSP tocken as well. So for some reason the client
> >> either can't or won't obtain a ticket for the Samba server.
> >>
> >
> > Do you mean NTLM got negotiated earlier than that code? Or that client
> > obtains Kerberos tickets directly from security server and then just
> > passes them to Samba server? Where those OIDs corresponding to
> > Kerberos come from then?
> >
> > I don't have ADS and I never saw one. I apologize if my questions are
> > naive.
> >
> > Thanks,
> > Igor
> >
> >> DNS reverse mapping glitch perhaps?
> >
>
> Do you mean it can be related to the machine's domain not being the same
> as Realm? The corresponding bug:
> https://bugzilla.samba.org/show_bug.cgi?id=1651
>
> I just don't know what symptoms may result in this mismatch. Will Samba
> fall back to NTLM if Kerberos authentication is unsuccesful? What else
> Greg should check to find the reason of failure?
>
> Thanks,
> Igor
>
>
More information about the samba
mailing list