Jason Haar
2007-Feb-28 23:36 UTC
[Samba] winbind design query: why does ntlm_auth work when the same auth via smbd fails?
I have an issue with being unable to successfully allow any user from trusted domains to connect to an ADS Samba-3.0.24 server (joined via kinit && net ads join) Our AD (Win2K3 based) domain is "OURDOM", and Samba is a member of it. Access from OURDOM accounts is 100% fine. However (2-way trusted) username "TDOM\user1" cannot connect to an open share on it, and yet "ntlm_auth --username=user1 --domain=TDOM" successfully authenticates! I have seen this several times before under different Samba releases, and have seen others report it on this list too. Typically the logging shows the smbd connection coming in as "[TDOM]\user1" - but suddenly the domain gets dropped, and "user1" is authenticated - incorrectly - apparently against the OURDOM domain (which will obviously fail) Can someone explain why ntlm_auth could possibly work (it implies winbind is totally happy?), whereas smbd should return Access Denied? And yes, "allow trusted domains = Yes" is set. Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1