[Samba] Re: ADS valid users can't map share

Igor Belyi sambauser at katehok.ac93.org
Fri Oct 22 22:11:10 GMT 2004


Greg Adams wrote:

>So am I up a creek on this issue?
>  
>
>>>Gerald (Jerry) Carter wrote:
>>>      
>>>
>>>>Yup.  That's my change.  But since the NTLM authentication
>>>>is succeeding, then I'll assume that the token sent back
>>>>was an NTLMSSP tocken as well.  So for some reason the client
>>>>either can't or won't obtain a ticket for the Samba server.
>>>>DNS reverse mapping glitch perhaps?
>>>>        
>>>>

Ok, as I said I don't have any experience with ADS and I have some value 
knowledge of Kerberos so I'll try to put a theory and if it's completely 
wrong at least it will give somebody a chance to correct me.

Basic of Kerberos is that everyone take their tickets from the same 
source. Client get its own ticket from Security server. Whenever it 
needs to authenticate itself to an application server it gets from the 
same Security server application server ticket as well.  This 
application server ticket is used to encrypt client's identity so that 
only the right application server can find them out. Server on the other 
hand trust client because it encrypted its identity with a ticket which 
it can get only from the same Security server application server got its 
own ticket.

To be honest I don't know details of Kerberos setup between Client, 
Samba, and ADS when 'security = ads' is used but I would guess that ADS 
is a Security server which distributes Kerberos tickets and Samba is a 
server which provides shares depending on client's identity. But, the 
fact that failed Kerberos communication can fall back to normal domain 
authentication (NTLM) confuses me. Does it mean that client after first 
failed attempt will pass only NTLM credentials only? But why then 
there's still information regarding Kerberos abilities passed around?

I think that what Jerry says is that client (XP) got incorrect Samba 
server ticket from ADS. According to what I heard ADS gives tickets 
based on the name of the server, the machine name this server runs on 
and the Realm server belongs to. Unfortunately, I don't know how and who 
determines the machine name but based on Jerry's comment this could be 
the reason for the problem. I'd guess it's a good idea to check if DNS 
name -> IP -> DNS name gives consistent result on all 3 participants: 
Samba server, XP client, and ADS.

Hope it's not useless,
Igor



More information about the samba mailing list