ntlm_auth returns different answers with 2 trusted AD forests
John
elmer_samba at yahoo.com.cn
Tue Jan 26 03:05:36 MST 2010
Hi all,
We're using ntlm_auth to do MS-CHAP authentication. It is ok when talk to 1 AD forest. When we talk to 2 backend AD forests (they are trusted each other). We are having odd issues authenticating with ntlm_auth.
* An ntlm_auth --username=whatever and then giving a password
returns NT_STATUS_OK: Success (0x0).
* An incorrect password returns NT_STATUS_WRONG_PASSWORD, as expected
* taking a username, domain, challenge and nt response from an MS-CHAP session
testing on the command line returns different NT key every time.
AH-02fb83:~$ ntlm_auth --request-nt-key --username=hhe --domain=aero --challenge=85c257c80acce09e --nt-response=c880246f181734b101bd46a7dad722235ca723be26f3499b
NT_KEY: 1C78E1E844717ACE89FF35A501EA34B6
AH-02fb83:~$ ntlm_auth --request-nt-key --username=hhe --domain=aero --challenge=85c257c80acce09e --nt-response=c880246f181734b101bd46a7dad722235ca723be26f3499b
NT_KEY: 82F8600F734A44C405B698CD45E75517
...
The samba version is 3.3.3. Looks same with bug #6563 (https://bugzilla.samba.org/show_bug.cgi?id=6563)
I did some code change. If I commnet the API "rescan_forest_trusts()". Ntlm_auth works well. Hope it can help you trouble shoot the issue.
John
___________________________________________________________
好玩贺卡等你发,邮箱贺卡全新上线!
http://card.mail.cn.yahoo.com/
More information about the samba-technical
mailing list