[Samba] Untrusted domains with security=ads
Deyan Stoykov
dstoykov at uni-ruse.bg
Tue Apr 2 07:28:55 MDT 2013
Hello everyone,
Samba 3.6.9 on CentOS 6.4. With "security = ads", winbind doesn't
authenticate requests that prepend a not-existent domain to the
username. Users that have logged into the domain authenticate
transparently to squid with NTLM (format is domain\username), but not
users that are logged in locally or into another domain with the same
username and password (format is something_else\username). This wasn't
the case with "security = domain" and a Samba 3 DC:
with security = ads:
# wbinfo -a uni-ruse\\dstoykov%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
# wbinfo -a fgdgdgd\\dstoykov%password
plaintext password authentication failed
Could not authenticate user fgdgdgd\dstoykov with plaintext password
challenge/response password authentication failed
error code was NT_STATUS_NO_SUCH_USER (0xc0000064)
error message was: No such user
Could not authenticate user fgdgdgd\dstoykov with challenge/response
with security = domain:
# wbinfo -a uni-ruse\\dstoykov%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
# wbinfo -a fgdgdgd\\dstoykov%password
plaintext password authentication succeeded
challenge/response password authentication succeeded
"map untrusted to domain" solves the same problem for smbd, but doesn't
seem to affect ntlm_auth.
[global]
workgroup = UNI-RUSE
realm = UNI-RUSE.BG
server string =
security = ADS
load printers = No
printcap name = /dev/null
disable spoolss = Yes
wins server = 172.16.0.6, 172.16.0.10
template homedir = /dev/null
template shell = /sbin/nologin
idmap config * : range = 1000000-1999999
idmap config * : backend = tdb
Is this a bug or working as designed?
Thanks,
Deyan
--
Deyan Stoykov, dstoykov at uni-ruse.bg
System administrator
Computing and Information Services Center
University of Ruse
More information about the samba
mailing list