samba - Feb 2009 - desactivating NTLM fallback when accessing a share and kerberos auth fails

Hello.

I have a print server member of an AD domain, and my users are 
autenthicated through an external kerberos domain. My samba server FQDN 
is 'etoile.msr-inria.inria.fr', and has
'cups.msr-inria.inria.fr' as DNS
alias.

For foreign visitors, everything works fine: when attempting to reach 
\\cups, samba immediatly detect from given credentials than user comes 
from an unknown domains, and immediatly give him guest access. That's 
the desirable behaviour.

For members of the domain, tough, the client first attempt a kerberos 
auth, which fails, as he is not using print server FQDN, and doesn't 
performs host name canonicalization. It then attempt NTLM auth as 
fallback, which can't succeed either, as the user doesn't have a valid 
password in the domain (he's using external auth service). When this 
fails, it is then allowed to access the service as guest, but that's a 
bit ugly and counter-intuitive :( On the other hand, if he tries to 
access \\etoile.msr-inria.inria.fr instead, kerberos auth works, and the 
user can access the service with its own credentials.

I'd like to avoid giving different usage informations to visitors and 
members, and I'd also like everyone accessing the service through the 
CNAME, so as to be able to migrate if freely. Is there a way to achieve 
this with current settings ?

As I'm not really interested by authentication here, unless for admins 
to change print drivers, I'm thinking of moving from 'ads' security 
model to simplest 'share' one, and using a local samba-specific password
database for admins. Currently, I didn't found any advantage of making 
the print server member of the domain.

I'm using samba 3.2.9 on Linux, and here is relevant part of my 
configuration:
[global]
    workgroup = MSR-INRIA
    realm = MSR-INRIA.IDF
    use kerberos keytab = yes
    server string = Etoile
    printcap name = cups
    load printers = yes
    printcap cache time = 60
    printing = cups
    log file = /var/log/samba/%m.log
    max log size = 50
    log level = 3
    map to guest = bad user
    guest account = nobody
    security = ads
    encrypt passwords = yes
   username map = /etc/samba/smbusers
    local master = no
    domain master = no
    preferred master = no
    dns proxy = yes
    wins support = no
    wins proxy = no
[printers]
     comment = All Printers
     path = /var/spool/samba
     browseable = yes
     guest ok = yes
     writable = no
     printable = yes
     create mode = 0700
     print command = lpr-cups -P %p -o raw %s -r
     use client driver = no
[print$]
    comment = Print drivers
    path = /var/lib/samba/printers
    browseable = yes
    write list = root
    guest ok = yes

-- 
BOFH excuse #449:

greenpeace free'd the mallocs

Guillaume Rousse a ?crit :
> For members of the domain, tough, the client first attempt a kerberos 
> auth, which fails, as he is not using print server FQDN, and doesn't 
> performs host name canonicalization. 
Actually, from reading the logs, this is false: samba doesn't even 
attempt to perform a kerberos auth when a share is accessed through a 
non-FQDN name, but directly attempts NTLM:

[2009/02/11 16:59:46,  3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
   Doing spnego session setup
[2009/02/11 16:59:46,  3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
   NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 
2002 5.1] PrimaryDomain=[]
[2009/02/11 16:59:46, 10] smbd/sesssetup.c:check_spnego_blob_complete(1121)
   check_spnego_blob_complete: needed_len = 180, pblob->length = 180
[2009/02/11 16:59:46,  3] libsmb/ntlmssp.c:ntlmssp_server_auth(745)
   Got user=[rousse] domain=[MSR-INRIA] workstation=[OBERKAMPF] len1=24 
len2=24
[2009/02/11 16:59:46,  5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(68)
   auth_context challenge set by NTLMSSP callback (NTLM2)

When using a FQDN, this becomes:

[2009/02/11 16:57:33,  3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1173)
   Doing spnego session setup
[2009/02/11 16:57:33,  3] 
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1208)
   NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 
2002 5.1] PrimaryDomain=[]
[2009/02/11 16:57:33, 10] smbd/password.c:register_initial_vuid(194)
   register_initial_vuid: allocated vuid = 114
[2009/02/11 16:57:33, 10] smbd/sesssetup.c:check_spnego_blob_complete(1121)
   check_spnego_blob_complete: needed_len = 1365, pblob->length = 1365
[2009/02/11 16:57:33,  5] smbd/sesssetup.c:parse_spnego_mechanisms(749)
   parse_spnego_mechanisms: Got OID 1 2 840 48018 1 2 2
[2009/02/11 16:57:33,  5] smbd/sesssetup.c:parse_spnego_mechanisms(749)
   parse_spnego_mechanisms: Got OID 1 2 840 113554 1 2 2
[2009/02/11 16:57:33,  5] smbd/sesssetup.c:parse_spnego_mechanisms(749)
   parse_spnego_mechanisms: Got OID 1 3 6 1 4 1 311 2 2 10
[2009/02/11 16:57:33,  3] smbd/sesssetup.c:reply_spnego_negotiate(800)
   reply_spnego_negotiate: Got secblob of size 1299
[2009/02/11 16:57:33, 10] 
libads/kerberos_verify.c:ads_secrets_verify_ticket(273)

Can someone enlighten me about this behaviour difference ?