[Samba] Re: ADS valid users can't map share

Greg Adams gadams at gmail.com
Fri Oct 22 18:24:48 GMT 2004 

So am I up a creek on this issue?

Greg


On Wed, 20 Oct 2004 14:07:16 -0400, Igor Belyi
<sambauser at katehok.ac93.org> wrote:
> Igor Belyi wrote:
> 
> 
> 
> > Gerald (Jerry) Carter wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Igor Belyi wrote:
> >>
> >> | No, wait! Samba checks only the first OID! And this is the
> >> | reason for NTLM! Here's the comment from source/smbd/sesssetup.c:
> >> |
> >> |        /* only look at the first OID for determining the mechToken --
> >> |           accoirding to RFC2478, we should choose the one we want
> >> |           and renegotiate, but i smell a client bug here..
> >> |
> >> |           Problem observed when connecting to a member (samba box)
> >> |           of an AD domain as a user in a Samba domain.  Samba member
> >> |           server sent back krb5/mskrb5/ntlmssp as mechtypes, but the
> >> |           client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an
> >> |           NTLMSSP mechtoken.                 --jerry              */
> >> |
> >> | Jerry, that's your comment, right? :)
> >>
> >> Yup.  That's my change.  But since the NTLM authentication
> >> is succeeding, then I'll assume that the token sent back
> >> was an NTLMSSP tocken as well.  So for some reason the client
> >> either can't or won't obtain a ticket for the Samba server.
> >>
> >
> > Do you mean NTLM got negotiated earlier than that code? Or that client
> > obtains Kerberos tickets directly from security server and then just
> > passes them to Samba server? Where those OIDs corresponding to
> > Kerberos come from then?
> >
> > I don't have ADS and I never saw one. I apologize if my questions are
> > naive.
> >
> > Thanks,
> > Igor
> >
> >> DNS reverse mapping glitch perhaps?
> >
> 
> Do you mean it can be related to the machine's domain not being the same
> as Realm? The corresponding bug:
> https://bugzilla.samba.org/show_bug.cgi?id=1651
> 
> I just don't know what symptoms may result in this mismatch. Will Samba
> fall back to NTLM if Kerberos authentication is unsuccesful? What else
> Greg should check to find the reason of failure?
> 
> Thanks,
> Igor
> 
>

More information about the samba mailing list