[Samba] Re: ADS valid users can't map share
Igor Belyi
sambauser at katehok.ac93.org
Fri Oct 22 22:11:10 GMT 2004
Greg Adams wrote:
>So am I up a creek on this issue?
>
>
>>>Gerald (Jerry) Carter wrote:
>>>
>>>
>>>>Yup. That's my change. But since the NTLM authentication
>>>>is succeeding, then I'll assume that the token sent back
>>>>was an NTLMSSP tocken as well. So for some reason the client
>>>>either can't or won't obtain a ticket for the Samba server.
>>>>DNS reverse mapping glitch perhaps?
>>>>
>>>>
Ok, as I said I don't have any experience with ADS and I have some value
knowledge of Kerberos so I'll try to put a theory and if it's completely
wrong at least it will give somebody a chance to correct me.
Basic of Kerberos is that everyone take their tickets from the same
source. Client get its own ticket from Security server. Whenever it
needs to authenticate itself to an application server it gets from the
same Security server application server ticket as well. This
application server ticket is used to encrypt client's identity so that
only the right application server can find them out. Server on the other
hand trust client because it encrypted its identity with a ticket which
it can get only from the same Security server application server got its
own ticket.
To be honest I don't know details of Kerberos setup between Client,
Samba, and ADS when 'security = ads' is used but I would guess that ADS
is a Security server which distributes Kerberos tickets and Samba is a
server which provides shares depending on client's identity. But, the
fact that failed Kerberos communication can fall back to normal domain
authentication (NTLM) confuses me. Does it mean that client after first
failed attempt will pass only NTLM credentials only? But why then
there's still information regarding Kerberos abilities passed around?
I think that what Jerry says is that client (XP) got incorrect Samba
server ticket from ADS. According to what I heard ADS gives tickets
based on the name of the server, the machine name this server runs on
and the Realm server belongs to. Unfortunately, I don't know how and who
determines the machine name but based on Jerry's comment this could be
the reason for the problem. I'd guess it's a good idea to check if DNS
name -> IP -> DNS name gives consistent result on all 3 participants:
Samba server, XP client, and ADS.
Hope it's not useless,
Igor
More information about the samba
mailing list