[Samba] NT4 clients
Ryan Bair
ryandbair at gmail.com
Mon Jul 29 15:00:22 MDT 2013
I'm attempting to get an old NT4 client participating in a Samba4 domain.
Users can logon to the machine locally and access network shares on other
machines in the network. However, no one can access shares on the NT4
machine using the machine name. Attempting this results in an error "The
account is not authorized to log in from this station." Using the IP
address does work however.
The clients are configured to allow no smb signing and NTLMv1, I think I
have all the security settings covered.
I noticed while looking at wireshark though that the client is doing
TGS-REQ for cifs/nt4test and Samba is returning a full TGS-REP. This feels
very odd to me since there is no such SPN cifs/nt4test on the network.
'setspn -Q cifs/nt4test' confirms this.
I've also noticed that the MS docs state:
<94> Section 3.2.5.2:
<http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94>When
the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag
as not set, Windows-based SMB clients query the Key Distribution Center
(KDC)<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>to
verify whether a service ticket is registered for the given security
principal name (SPN)<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>.
If the query indicates that the
SPN<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>is
registered with the
KDC<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>,
then the SMB client terminates the connection and returns an
implementation-specific security downgrade error to the caller.
The client does have CAP_EXTENDED_SECURITY set and I'm guessing the TGS-REQ
is how Windows is testing the presence of the SPN. Since the test is
succeeding and the server doesn't advertise the extended security
capability, Windows disconnects.
Can someone confirm my hypothesis?
More information about the samba
mailing list