Volker Lendecke a écrit :
On Wed, Feb 11, 2009 at 05:10:02PM +0100, Guillaume Rousse wrote:
Guillaume Rousse a écrit :
For members of the domain, tough, the client first attempt a kerberos
auth, which fails, as he is not using print server FQDN, and doesn't
performs host name canonicalization.
Actually, from reading the logs, this is false: samba doesn't even
attempt to perform a kerberos auth when a share is accessed through a
non-FQDN name, but directly attempts NTLM:
[2009/02/11 16:59:46, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
Doing spnego session setup
[2009/02/11 16:59:46, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows
2002 5.1] PrimaryDomain=[]
[2009/02/11 16:59:46, 10] smbd/sesssetup.c:check_spnego_blob_complete(1121)
check_spnego_blob_complete: needed_len = 180, pblob->length = 180
[2009/02/11 16:59:46, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(745)
Got user=[rousse] domain=[MSR-INRIA] workstation=[OBERKAMPF] len1=24
len2=24
[2009/02/11 16:59:46, 5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(68)
auth_context challenge set by NTLMSSP callback (NTLM2)
Look at the sniff. Your KDC sends a PRINCIPAL_UNKNOWN when
the client asks for the ticket with the wrong servername.
The client then falls back to ntlmssp.
OK, so my initial assumption was not totally erroneous :)
Is there any way to either:
- perform some kind of name canonicalization, either on client or server
side ?
- desactivate any kind of authentication but kerberos, either for this
share, or globally ?
--
BOFH excuse #417:
Computer room being moved. Our systems are down for the weekend.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
