The Samba-Bugzilla – Bug 12375
member server ntlmssp auth fails with user@realm
Last modified: 2016-10-13 06:31:03 UTC
The following succeeds against a Windows member server joined to a Windows DC, and fails against a Samba member server joined to a Windows DC:
From a Windows client NOT joined to the domain, enter:
net use \\server-ip\share /USER:user@realm
Attached is a packet capture of the auth process. There are two NTLMSSP sessions:
- One with realm\user authentication - succeeds
- One with \user@realm authentication (empty domain) - fails.
The significance of this is that there are devices (e.g. some Xerox scanners) which are incapable of authenticating using Kerberos or as DOMAIN\user, but if you enter user@realm as username, it will authenticate as \user@realm - which succeeds with Windows.
Created attachment 12564 [details]