[Samba] winbind design query: why does ntlm_auth work when the same auth via smbd fails?

Jason Haar Jason.Haar at trimble.co.nz
Wed Feb 28 23:35:36 GMT 2007

I have an issue with being unable to successfully allow any user from
trusted domains to connect to an ADS Samba-3.0.24 server (joined via
kinit && net ads join)

Our AD (Win2K3 based) domain is "OURDOM", and Samba is a member of it.
Access from OURDOM accounts is 100% fine. However (2-way trusted)
username "TDOM\user1" cannot connect to an open share on it, and yet
"ntlm_auth --username=user1 --domain=TDOM" successfully authenticates!

I have seen this several times before under different Samba releases,
and have seen others report it on this list too. Typically the logging
shows the smbd connection coming in as "[TDOM]\user1" - but suddenly the
domain gets dropped, and "user1" is authenticated - incorrectly -
apparently against the OURDOM domain (which will obviously fail)

Can someone explain why ntlm_auth could possibly work (it implies
winbind is totally happy?), whereas smbd should return Access Denied?

And yes, "allow trusted domains = Yes" is set.



Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the samba mailing list