[Samba] NT4 clients

Ryan Bair ryandbair at gmail.com
Mon Jul 29 15:05:12 MDT 2013

Oh, forgot to mention. Samba 4.0.7-4 Sernet packages running on CentOS 6.4.

On Mon, Jul 29, 2013 at 5:00 PM, Ryan Bair <ryandbair at gmail.com> wrote:

> I'm attempting to get an old NT4 client participating in a Samba4 domain.
> Users can logon to the machine locally and access network shares on other
> machines in the network. However, no one can access shares on the NT4
> machine using the machine name. Attempting this results in an error "The
> account is not authorized to log in from this station." Using the IP
> address does work however.
> The clients are configured to allow no smb signing and NTLMv1, I think I
> have all the security settings covered.
> I noticed while looking at wireshark though that the client is doing
> TGS-REQ for cifs/nt4test and Samba is returning a full TGS-REP. This feels
> very odd to me since there is no such SPN cifs/nt4test on the network.
> 'setspn -Q cifs/nt4test' confirms this.
> I've also noticed that the MS docs state:
> <94> Section
> <http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94>When
> the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag
> as not set, Windows-based SMB clients query the Key Distribution Center
> (KDC)<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>to verify whether a service ticket is registered for the given security
> principal name (SPN)<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>.
> If the query indicates that the SPN<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>is registered with the
> KDC<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>,
> then the SMB client terminates the connection and returns an
> implementation-specific security downgrade error to the caller.
> The client does have CAP_EXTENDED_SECURITY set and I'm guessing the
> TGS-REQ is how Windows is testing the presence of the SPN. Since the test
> is succeeding and the server doesn't advertise the extended security
> capability, Windows disconnects.
> Can someone confirm my hypothesis?

More information about the samba mailing list