[Samba] Printserver after latest MS updates

Achim Gottinger achim at ag-web.biz
Mon Nov 1 16:29:56 UTC 2021 

Am 25.10.21 um 18:51 schrieb Achim Gottinger via samba:
> Am 25.10.21 um 16:30 schrieb Christian Naumer via samba:
>> s far as I understood it. Non Domain joined clients can connect to resources on the Domain if you connect using domainuser credentials. However, NTLM not Kerberos is used then. If you block NTLM then non Domain joined clients will stop to work.
>>
>> This all seems related...
> For filesharing NTLMv2 still wokrs with local accounts. Before the oktober update once I connected with domainuser credentials from an local account i could manage printers and drivers using printmanagement. This also does no longer work. So MS changed the behavior NTLM is involved in printing.
>>
>> As for Kerberos. I use non domain joined client (Linux though) where I just configured the krb5.conf and I can then "kinit" and use my domain credentials to connect to server using krb auth with ssh.
>> I haven't tried with windows. 
>
> I was hoping this can be archieved on windows as well. There is no native kinit on windows but i found java jdk's have such a binary. kinit kan be used to get an ticket which the native klist shows as valid but the file explorer does not use it when connecting to servers.
>
> Looking at https://en.wikipedia.org/wiki/Security_Support_Provider_Interface, windows uses NTLMSSP for non domain computers.
>
> The other method with heimdal and network identity manager i mentioned are used for single sign on against openafs and seem to work with firefox. Had no luck with the file explorer.
>
>
> Achim

Turned out windows does use kerberos if the credentials passed to the server are in the form username at realm or realm\username. Logged on with an local non domain account on the computer and using above domain credentials to log on to a samba fileserver results in acquiring an valid kerberos ticket. klist also shows cifs/... principals.

This changed with 2021-10. Now kerberos auth seems to be broken for spoolss auth requests and windows falls back to NTLMv2. Logged in with an domain account on the pc this fall back succeeds but with an local account and an valid acquired kerberos domain ticket it fails.

With windows 11 however kerberos succeeds with an local account + valid domain ticket. I see no NTLM auth request in the samba log file here.

For testing I only tried to connect to the fileserver with windows print management. If it succeeded it showed printers and drivers if not these lists where empty.

Achim

More information about the samba mailing list