On Wed, Feb 11, 2009 at 05:10:02PM +0100, Guillaume Rousse wrote: > Guillaume Rousse a écrit : > >For members of the domain, tough, the client first attempt a kerberos > >auth, which fails, as he is not using print server FQDN, and doesn't > >performs host name canonicalization. > Actually, from reading the logs, this is false: samba doesn't even > attempt to perform a kerberos auth when a share is accessed through a > non-FQDN name, but directly attempts NTLM: > > [2009/02/11 16:59:46, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173) > Doing spnego session setup > [2009/02/11 16:59:46, 3] > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208) > NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows > 2002 5.1] PrimaryDomain=[] > [2009/02/11 16:59:46, 10] smbd/sesssetup.c:check_spnego_blob_complete(1121) > check_spnego_blob_complete: needed_len = 180, pblob->length = 180 > [2009/02/11 16:59:46, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745) > Got user=[rousse] domain=[MSR-INRIA] workstation=[OBERKAMPF] len1=24 > len2=24 > [2009/02/11 16:59:46, 5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(68) > auth_context challenge set by NTLMSSP callback (NTLM2)
Look at the sniff. Your KDC sends a PRINCIPAL_UNKNOWN when the client asks for the ticket with the wrong servername. The client then falls back to ntlmssp. Volker
pgp0oxJr5HuRH.pgp
Description: PGP signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
