[Samba] Windows Remote Assistance fails
Ryan Bair
ryandbair at gmail.com
Wed Jan 7 14:24:09 MST 2015
Hi Andrew,
Thanks for the reply. That does indeed make it work.
On Tue, Jan 6, 2015 at 9:12 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> On Mon, 2015-01-05 at 16:18 -0500, Ryan Bair wrote:
> > I attempted to set up unsolicited remote assistance via group policy, but
> > connections to the client machines fail.
> >
> > A network trace show the 'expert' machine doing a TGS-REQ to the DC which
> > responds with a KRB5KDC_ERR_POLICY. This seems to be the origin of the
> > problem.
> >
> > I noticed in the request, the username of the 'novice' is given as the
> > Server Name but is otherwise pretty unremarkable.
> >
> > Has anyone successfully gotten this working on a Samba4 AD domain?
>
> Try giving the user an SPN. That should make it work.
>
> I need to work out what the right clue is in AD to enable an account as
> a server, without an SPN, as otherwise we would allow offline attacks on
> the user (rather than machine, which should be more complex) passwords.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett
> http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>
>
More information about the samba
mailing list