[Samba] desactivating NTLM fallback when accessing a share and
kerberos auth fails
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Feb 11 17:12:13 GMT 2009
On Wed, Feb 11, 2009 at 05:10:02PM +0100, Guillaume Rousse wrote:
> Guillaume Rousse a écrit :
> >For members of the domain, tough, the client first attempt a kerberos
> >auth, which fails, as he is not using print server FQDN, and doesn't
> >performs host name canonicalization.
> Actually, from reading the logs, this is false: samba doesn't even
> attempt to perform a kerberos auth when a share is accessed through a
> non-FQDN name, but directly attempts NTLM:
>
> [2009/02/11 16:59:46, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
> Doing spnego session setup
> [2009/02/11 16:59:46, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
> NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows
> 2002 5.1] PrimaryDomain=[]
> [2009/02/11 16:59:46, 10] smbd/sesssetup.c:check_spnego_blob_complete(1121)
> check_spnego_blob_complete: needed_len = 180, pblob->length = 180
> [2009/02/11 16:59:46, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745)
> Got user=[rousse] domain=[MSR-INRIA] workstation=[OBERKAMPF] len1=24
> len2=24
> [2009/02/11 16:59:46, 5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(68)
> auth_context challenge set by NTLMSSP callback (NTLM2)
Look at the sniff. Your KDC sends a PRINCIPAL_UNKNOWN when
the client asks for the ticket with the wrong servername.
The client then falls back to ntlmssp.
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20090211/91d8e612/attachment.bin
More information about the samba
mailing list