Greg Adams wrote:
So am I up a creek on this issue?
Gerald (Jerry) Carter wrote:
Yup. That's my change. But since the NTLM authentication
is succeeding, then I'll assume that the token sent back
was an NTLMSSP tocken as well. So for some reason the client
either can't or won't obtain a ticket for the Samba server.
DNS reverse mapping glitch perhaps?
Ok, as I said I don't have any experience with ADS and I have some value knowledge of Kerberos so I'll try to put a theory and if it's completely wrong at least it will give somebody a chance to correct me.
Basic of Kerberos is that everyone take their tickets from the same source. Client get its own ticket from Security server. Whenever it needs to authenticate itself to an application server it gets from the same Security server application server ticket as well. This application server ticket is used to encrypt client's identity so that only the right application server can find them out. Server on the other hand trust client because it encrypted its identity with a ticket which it can get only from the same Security server application server got its own ticket.
To be honest I don't know details of Kerberos setup between Client, Samba, and ADS when 'security = ads' is used but I would guess that ADS is a Security server which distributes Kerberos tickets and Samba is a server which provides shares depending on client's identity. But, the fact that failed Kerberos communication can fall back to normal domain authentication (NTLM) confuses me. Does it mean that client after first failed attempt will pass only NTLM credentials only? But why then there's still information regarding Kerberos abilities passed around?
I think that what Jerry says is that client (XP) got incorrect Samba server ticket from ADS. According to what I heard ADS gives tickets based on the name of the server, the machine name this server runs on and the Realm server belongs to. Unfortunately, I don't know how and who determines the machine name but based on Jerry's comment this could be the reason for the problem. I'd guess it's a good idea to check if DNS name -> IP -> DNS name gives consistent result on all 3 participants: Samba server, XP client, and ADS.
Hope it's not useless, Igor
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
