Bug 14697 - net ads commands do not fallback to NTLMSSP if kerberos authentication fails
Summary: net ads commands do not fallback to NTLMSSP if kerberos authentication fails
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2021-05-03 06:52 UTC by Shilpa Krishnareddy
Modified: 2021-05-04 03:14 UTC (History)
0 users

See Also:

Set ADS_AUTH_ALLOW_NTLMSSP for net ads commands (2.91 KB, text/plain)
2021-05-03 06:52 UTC, Shilpa Krishnareddy
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Shilpa Krishnareddy 2021-05-03 06:52:32 UTC
Created attachment 16604 [details]
Set ADS_AUTH_ALLOW_NTLMSSP for net ads commands

Currently, when we use net ads commands (tested with net ads testuser and net ads join), even if we provide username and password, if KDC is not reachable, there is no fallback to NTLMSSP.

To fallback to NTLMSSP if KDC is not reachable, we need to set 

ads->auth.flags |= ADS_AUTH_ALLOW_NTLMSSP;

Attached patch worked for me to fix this issue.
Comment 1 Alexander Bokovoy 2021-05-03 12:10:08 UTC
There is already 'client use kerberos' switch (desired / required / off). I suggest to rewrite the check to use lp_client_use_kerberos() to check whether a fallback to NTLMSSP is allowed.

This will not work in FIPS mode and we should not fallback to NTLMSSP there. 'client use kerberos' will be forced to 'required' in FIPS mode and thus you can easily check the state.
Comment 2 Shilpa Krishnareddy 2021-05-03 13:31:01 UTC
(In reply to Alexander Bokovoy from comment #1)
The parameter "client use kerberos" should be fine to use in this case. But, in the version of Samba that we are using, this parameter is not present. So, I won't be able to test it.
Comment 3 Alexander Bokovoy 2021-05-03 14:00:03 UTC
It is available in git master.
Comment 4 Andrew Bartlett 2021-05-03 20:12:55 UTC

What Alexander is trying to say is that per:


Samba development is on 'git master', and new features always start there before being backported.  This means that they are automatically included in new versions, etc.

When developing for master, patches should take into account the new environment found there, so as we have 'client use kerberos' in master it should be used.  This may prevent a backport, or mean a backport has to be modified, but at least the patch will be in Samba long-term, should it be useful and accepted.

I hope this clarifies things,

Andrew Bartlett
Comment 5 Shilpa Krishnareddy 2021-05-04 03:14:07 UTC
(In reply to Andrew Bartlett from comment #4)

Thanks for clarification Andrew. I will rebase the patch on top of master and submit it