Bug 12375 - member server ntlmssp auth fails with user@realm
Summary: member server ntlmssp auth fails with user@realm
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.5.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-12 20:13 UTC by Uri Simchoni
Modified: 2017-11-09 06:51 UTC (History)
6 users (show)

See Also:


Attachments
packet capture (7.56 KB, application/x-pcapng)
2016-10-12 20:14 UTC, Uri Simchoni
no flags Details
git-am fix for 4.5.next (6.15 KB, patch)
2016-10-25 06:18 UTC, Uri Simchoni
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Uri Simchoni 2016-10-12 20:13:08 UTC
The following succeeds against a Windows member server joined to a Windows DC, and fails against a Samba member server joined to a Windows DC:

From a Windows client NOT joined to the domain, enter:

net use \\server-ip\share /USER:user@realm

Attached is a packet capture of the auth process. There are two NTLMSSP sessions:
- One with realm\user authentication - succeeds
- One with \user@realm authentication (empty domain) - fails.

The significance of this is that there are devices (e.g. some Xerox scanners) which are incapable of authenticating using Kerberos or as DOMAIN\user, but if you enter user@realm as username, it will authenticate as \user@realm - which succeeds with Windows.
Comment 1 Uri Simchoni 2016-10-12 20:14:03 UTC
Created attachment 12564 [details]
packet capture
Comment 2 Uri Simchoni 2016-10-22 18:50:17 UTC
To reproduce using Samba tools, the following passes against a Windows member server (probably also if joined to a Samba DC, but not verified!), and fails against a Samba member server (assuming sufficinet access rights on the share):

smbtorture -k no -U 'administrator@domain.fqdn%admin-password' //server-ip/share smb2.getinfo

(haven't spotted an smbtorture test that just authenticates, the smb2.getinfo does some basic file IO in addition to session setup)
Comment 3 Uri Simchoni 2016-10-25 06:18:16 UTC
Created attachment 12598 [details]
git-am fix for 4.5.next
Comment 4 Jeremy Allison 2016-10-25 17:38:11 UTC
Re-assigning to Karolin for inclusion in 4.5.next.
Comment 5 Karolin Seeger 2016-10-31 10:12:59 UTC
(In reply to Jeremy Allison from comment #4)
Pushed to autobuild-v4-5-test.
Comment 6 Karolin Seeger 2016-11-01 07:49:15 UTC
(In reply to Karolin Seeger from comment #5)
Pushed to v4-5-test.
Closing out bug report.

Thanks!