Oh, forgot to mention. Samba 4.0.7-4 Sernet packages running on CentOS 6.4.
On Mon, Jul 29, 2013 at 5:00 PM, Ryan Bair <ryandb...@gmail.com> wrote: > I'm attempting to get an old NT4 client participating in a Samba4 domain. > Users can logon to the machine locally and access network shares on other > machines in the network. However, no one can access shares on the NT4 > machine using the machine name. Attempting this results in an error "The > account is not authorized to log in from this station." Using the IP > address does work however. > > The clients are configured to allow no smb signing and NTLMv1, I think I > have all the security settings covered. > > I noticed while looking at wireshark though that the client is doing > TGS-REQ for cifs/nt4test and Samba is returning a full TGS-REP. This feels > very odd to me since there is no such SPN cifs/nt4test on the network. > 'setspn -Q cifs/nt4test' confirms this. > > I've also noticed that the MS docs state: > <94> Section 3.2.5.2: > <http://msdn.microsoft.com/en-us/library/d367854f-5eee-45e8-a588-eed596a1a521#endNote94>When > the server completes negotiation and returns the CAP_EXTENDED_SECURITY flag > as not set, Windows-based SMB clients query the Key Distribution Center > (KDC)<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>to > verify whether a service ticket is registered for the given security > principal name > (SPN)<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>. > If the query indicates that the > SPN<http://msdn.microsoft.com/en-us/library/54af12e1-fcc1-4d62-bd47-c80514ac2615#spn>is > registered with the > KDC<http://msdn.microsoft.com/en-us/library/0aa17e1f-b3c1-478a-9bf0-2d826888d081#key_distribution_center_KDC>, > then the SMB client terminates the connection and returns an > implementation-specific security downgrade error to the caller. > > The client does have CAP_EXTENDED_SECURITY set and I'm guessing the > TGS-REQ is how Windows is testing the presence of the SPN. Since the test > is succeeding and the server doesn't advertise the extended security > capability, Windows disconnects. > > Can someone confirm my hypothesis? > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba