[Samba] desactivating NTLM fallback when accessing a share and
kerberos auth fails
Guillaume Rousse
Guillaume.Rousse at inria.fr
Wed Feb 11 14:57:03 GMT 2009
Hello.
I have a print server member of an AD domain, and my users are
autenthicated through an external kerberos domain. My samba server FQDN
is 'etoile.msr-inria.inria.fr', and has 'cups.msr-inria.inria.fr' as DNS
alias.
For foreign visitors, everything works fine: when attempting to reach
\\cups, samba immediatly detect from given credentials than user comes
from an unknown domains, and immediatly give him guest access. That's
the desirable behaviour.
For members of the domain, tough, the client first attempt a kerberos
auth, which fails, as he is not using print server FQDN, and doesn't
performs host name canonicalization. It then attempt NTLM auth as
fallback, which can't succeed either, as the user doesn't have a valid
password in the domain (he's using external auth service). When this
fails, it is then allowed to access the service as guest, but that's a
bit ugly and counter-intuitive :( On the other hand, if he tries to
access \\etoile.msr-inria.inria.fr instead, kerberos auth works, and the
user can access the service with its own credentials.
I'd like to avoid giving different usage informations to visitors and
members, and I'd also like everyone accessing the service through the
CNAME, so as to be able to migrate if freely. Is there a way to achieve
this with current settings ?
As I'm not really interested by authentication here, unless for admins
to change print drivers, I'm thinking of moving from 'ads' security
model to simplest 'share' one, and using a local samba-specific password
database for admins. Currently, I didn't found any advantage of making
the print server member of the domain.
I'm using samba 3.2.9 on Linux, and here is relevant part of my
configuration:
[global]
workgroup = MSR-INRIA
realm = MSR-INRIA.IDF
use kerberos keytab = yes
server string = Etoile
printcap name = cups
load printers = yes
printcap cache time = 60
printing = cups
log file = /var/log/samba/%m.log
max log size = 50
log level = 3
map to guest = bad user
guest account = nobody
security = ads
encrypt passwords = yes
username map = /etc/samba/smbusers
local master = no
domain master = no
preferred master = no
dns proxy = yes
wins support = no
wins proxy = no
[printers]
comment = All Printers
path = /var/spool/samba
browseable = yes
guest ok = yes
writable = no
printable = yes
create mode = 0700
print command = lpr-cups -P %p -o raw %s -r
use client driver = no
[print$]
comment = Print drivers
path = /var/lib/samba/printers
browseable = yes
write list = root
guest ok = yes
--
BOFH excuse #449:
greenpeace free'd the mallocs
More information about the samba
mailing list