Fallback to NTLMSSP allowed if KDC is not reachable?
Jeremy Allison
jra at samba.org
Fri Apr 30 02:07:37 UTC 2021
On Fri, Apr 30, 2021 at 07:08:44AM +0530, Shilpa K via samba-technical wrote:
>Hello,
>
>In one instance, port 88 was blocked while port 445 and port 139 were
>allowed on the DC. In this scenario, when we tried to execute 'net ads join
>-k', it was not working. But, with the below code modification, it will
>fallback to NTLMSSP and works. Is it expected to fallback to NTLMSSP in net
>ads commands if krb does not work?
Hmmm. I think that's a policy decision. Not sure
*where* that policy is set, but I'm pretty sure
it's a policy somewhere :-).
Hopefully a Team member who works more on authentication
will chime in here..
>diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
>index 23ab0f9133..0d94ce692e 100644
>--- a/source3/utils/net_ads.c
>+++ b/source3/utils/net_ads.c
>@@ -297,6 +297,8 @@ retry:
> }
> }
>
>+ ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
>+
> status = ads_connect(ads);
>
> if (!ADS_ERR_OK(status)) {
>
>diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
>index 103120d8ec..53875fb946 100644
>--- a/source3/libnet/libnet_join.c
>+++ b/source3/libnet/libnet_join.c
>@@ -152,6 +152,8 @@ static ADS_STATUS libnet_connect_ads(const char
>*ad_domain_name,
> my_ads->auth.password = SMB_STRDUP(password);
> }
>
>+ my_ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;
>+
> status = ads_connect_user_creds(my_ads);
> if (!ADS_ERR_OK(status)) {
> ads_destroy(&my_ads);
More information about the samba-technical
mailing list