[Samba] desactivating NTLM fallback when accessing a share and kerberos auth fails

Guillaume Rousse Guillaume.Rousse at inria.fr
Wed Feb 11 14:57:03 GMT 2009


I have a print server member of an AD domain, and my users are 
autenthicated through an external kerberos domain. My samba server FQDN 
is 'etoile.msr-inria.inria.fr', and has 'cups.msr-inria.inria.fr' as DNS 

For foreign visitors, everything works fine: when attempting to reach 
\\cups, samba immediatly detect from given credentials than user comes 
from an unknown domains, and immediatly give him guest access. That's 
the desirable behaviour.

For members of the domain, tough, the client first attempt a kerberos 
auth, which fails, as he is not using print server FQDN, and doesn't 
performs host name canonicalization. It then attempt NTLM auth as 
fallback, which can't succeed either, as the user doesn't have a valid 
password in the domain (he's using external auth service). When this 
fails, it is then allowed to access the service as guest, but that's a 
bit ugly and counter-intuitive :( On the other hand, if he tries to 
access \\etoile.msr-inria.inria.fr instead, kerberos auth works, and the 
user can access the service with its own credentials.

I'd like to avoid giving different usage informations to visitors and 
members, and I'd also like everyone accessing the service through the 
CNAME, so as to be able to migrate if freely. Is there a way to achieve 
this with current settings ?

As I'm not really interested by authentication here, unless for admins 
to change print drivers, I'm thinking of moving from 'ads' security 
model to simplest 'share' one, and using a local samba-specific password 
database for admins. Currently, I didn't found any advantage of making 
the print server member of the domain.

I'm using samba 3.2.9 on Linux, and here is relevant part of my 
    workgroup = MSR-INRIA
    realm = MSR-INRIA.IDF
    use kerberos keytab = yes
    server string = Etoile
    printcap name = cups
    load printers = yes
    printcap cache time = 60
    printing = cups
    log file = /var/log/samba/%m.log
    max log size = 50
    log level = 3
    map to guest = bad user
    guest account = nobody
    security = ads
    encrypt passwords = yes
   username map = /etc/samba/smbusers
    local master = no
    domain master = no
    preferred master = no
    dns proxy = yes
    wins support = no
    wins proxy = no
     comment = All Printers
     path = /var/spool/samba
     browseable = yes
     guest ok = yes
     writable = no
     printable = yes
     create mode = 0700
     print command = lpr-cups -P %p -o raw %s -r
     use client driver = no
    comment = Print drivers
    path = /var/lib/samba/printers
    browseable = yes
    write list = root
    guest ok = yes

BOFH excuse #449:

greenpeace free'd the mallocs

More information about the samba mailing list