Bug 12375 - member server ntlmssp auth fails with user@realm
member server ntlmssp auth fails with user@realm
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services
All All
: P5 normal
: ---
Assigned To: Samba QA Contact
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-10-12 20:13 UTC by Uri Simchoni
Modified: 2016-10-13 06:31 UTC (History)
2 users (show)

See Also:

packet capture (7.56 KB, application/x-pcapng)
2016-10-12 20:14 UTC, Uri Simchoni
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Uri Simchoni 2016-10-12 20:13:08 UTC
The following succeeds against a Windows member server joined to a Windows DC, and fails against a Samba member server joined to a Windows DC:

From a Windows client NOT joined to the domain, enter:

net use \\server-ip\share /USER:user@realm

Attached is a packet capture of the auth process. There are two NTLMSSP sessions:
- One with realm\user authentication - succeeds
- One with \user@realm authentication (empty domain) - fails.

The significance of this is that there are devices (e.g. some Xerox scanners) which are incapable of authenticating using Kerberos or as DOMAIN\user, but if you enter user@realm as username, it will authenticate as \user@realm - which succeeds with Windows.
Comment 1 Uri Simchoni 2016-10-12 20:14:03 UTC
Created attachment 12564 [details]
packet capture