So am I up a creek on this issue? Greg
On Wed, 20 Oct 2004 14:07:16 -0400, Igor Belyi <[EMAIL PROTECTED]> wrote: > Igor Belyi wrote: > > > > > Gerald (Jerry) Carter wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Igor Belyi wrote: > >> > >> | No, wait! Samba checks only the first OID! And this is the > >> | reason for NTLM! Here's the comment from source/smbd/sesssetup.c: > >> | > >> | /* only look at the first OID for determining the mechToken -- > >> | accoirding to RFC2478, we should choose the one we want > >> | and renegotiate, but i smell a client bug here.. > >> | > >> | Problem observed when connecting to a member (samba box) > >> | of an AD domain as a user in a Samba domain. Samba member > >> | server sent back krb5/mskrb5/ntlmssp as mechtypes, but the > >> | client (2ksp3) replied with ntlmssp/mskrb5/krb5 and an > >> | NTLMSSP mechtoken. --jerry */ > >> | > >> | Jerry, that's your comment, right? :) > >> > >> Yup. That's my change. But since the NTLM authentication > >> is succeeding, then I'll assume that the token sent back > >> was an NTLMSSP tocken as well. So for some reason the client > >> either can't or won't obtain a ticket for the Samba server. > >> > > > > Do you mean NTLM got negotiated earlier than that code? Or that client > > obtains Kerberos tickets directly from security server and then just > > passes them to Samba server? Where those OIDs corresponding to > > Kerberos come from then? > > > > I don't have ADS and I never saw one. I apologize if my questions are > > naive. > > > > Thanks, > > Igor > > > >> DNS reverse mapping glitch perhaps? > > > > Do you mean it can be related to the machine's domain not being the same > as Realm? The corresponding bug: > https://bugzilla.samba.org/show_bug.cgi?id=1651 > > I just don't know what symptoms may result in this mismatch. Will Samba > fall back to NTLM if Kerberos authentication is unsuccesful? What else > Greg should check to find the reason of failure? > > Thanks, > Igor > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
