<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-name:"Plain Text\,Code";
mso-style-link:"Plain Text Char\,Code Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char\,Code Char";
mso-style-link:"Plain Text\,Code";
font-family:Consolas;}
p.BulletedList, li.BulletedList, div.BulletedList
{mso-style-name:"Bulleted List\,bl1\,Bulleted List 1";
margin-top:1.0pt;
margin-right:-29.0pt;
margin-bottom:5.0pt;
margin-left:.5in;
text-indent:-.5in;
line-height:12.0pt;
mso-line-height-rule:exactly;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Hi Zachary,<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I have investigated this case and configured a similar
environment as you described. In my testing environment the Windows XP client
can successfully join the new Windows Server 2008 domain (new tree root domain
in an existing forest) by using Kerberos authentication.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I suspect the Kerberos error KRB_ERROR -
KDC_ERR_S_PRINCIPAL_UNKNOWN (7) that you experienced on the TGS request is due
your environment. Since the Kerberos mechanism failed to obtain the ticket for
the CIFS service, the fallback to NTLM mechanism is the correct processing with
respect to SPNEGO as documented in [MS-SPNG] and [RFC4178]. <o:p></o:p></p>
<p class=MsoNormal>In case this helps, I am providing this reference on
Kerberos troubleshooting. <o:p></o:p></p>
<p class=MsoNormal>Troubleshooting Kerberos Errors<o:p></o:p></p>
<p class=MsoNormal><a
href="http://www.microsoft.com/downloads/details.aspx?familyid=7DFEB015-6043-47DB-8238-DC7AF89C93F1&displaylang=en">http://www.microsoft.com/downloads/details.aspx?familyid=7DFEB015-6043-47DB-8238-DC7AF89C93F1&displaylang=en</a><o:p></o:p></p>
<p class=MsoNormal>The KDC_ERR_S_PRINCIPAL_UNKNOWN error could be associated
with these Windows internal errors:<o:p></o:p></p>
<p class=BulletedList style='margin-right:0in'><span style='font-family:"Calibri","sans-serif"'>STATUS_NO_TRUST_SAM_ACCOUNT<o:p></o:p></span></p>
<p class=BulletedList style='margin-right:0in'><span style='font-family:"Calibri","sans-serif"'>STATUS_OBJECT_NAME_NOT_FOUND<o:p></o:p></span></p>
<p class=MsoNormal>STATUS_KDC_UNABLE_TO_REFER<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>If you need more in-depth support in troubleshooting and
debugging this issue, we can work with you to establish a Windows support case
to pursue this in more depth. <o:p></o:p></p>
<p class=MsoNormal>As always, please let us know if you have any specific
documentation issue and we will be happy to assist.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoNormal>Best regards,<o:p></o:p></p>
<p class=MsoNormal>Edgar<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>-----Original Message-----<br>
From: Zachary Loafman [mailto:zachary.loafman@isilon.com] <br>
Sent: Friday, August 28, 2009 11:18 AM<br>
To: Interoperability Documentation Help<br>
Cc: pfif@tridgell.net; cifs-protocol@samba.org<br>
Subject: cifs/ SPN not accepted in certain scenarios<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>We stumbled across a rather odd behavior related to
non-forest-root tree-root domains. Can you help explain/document this behavior?<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>I've attached a short pcap showing the start of an XP
machine joining a<o:p></o:p></p>
<p class=MsoPlainText>2k8 tree-root. Here's the setup:<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>*) I have a Win2k8 DC at 10.54.139.240 for the zl.test
domain, which is the forest root for this forest. This domain is only once
contacted during the capture, but if you're setting up a similar environment,
you'll need it.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>*) I have another Win2k8 DC at 10.54.139.241 for the
zl-alt.test domain (ZL-ALTROOT-TEST.zl-alt.test). This domain was configured as
an alternate root within the same forest using the "advanced"
settings in the dcpromo wizard (but is otherwise the standard configuration
from that wizard).<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>*) I have an XP client whose DNS is set to 10.54.139.241
prior to the join.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>For whatever reason, the alternate root DC will not
accept a TGS-REQ for cifs/ZL-ALTROOT-TEST.zl-alt.test. In this pcap, the XP
join then falls back to NTLM. This is fine, but kind of dumb - there should be
no need to fall back to NTLM.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>The zl-alt.test DC *will* accept a TGS-REQ for
HOST/ZL-ALTROOT-TEST.zl-alt.test. That's the curious part. <o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>In case it helps, here's a setspn -L on the altroot:<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>C:\Users\Administrator>setspn -L ZL-ALTROOT-TEST
Registered ServicePrincipalNames for CN=ZL-ALTROOT-TEST,OU=Domain<o:p></o:p></p>
<p class=MsoPlainText>Controllers,DC=zl-alt,DC=test:<o:p></o:p></p>
<p class=MsoPlainText>
ldap/ZL-ALTROOT-TEST.zl-alt.test/ForestDnsZones.zl.test<o:p></o:p></p>
<p class=MsoPlainText> <o:p></o:p></p>
<p class=MsoPlainText>Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ZL-ALTROOT-TEST.zl-alt.test<o:p></o:p></p>
<p class=MsoPlainText> DNS/ZL-ALTROOT-TEST.zl-alt.test<o:p></o:p></p>
<p class=MsoPlainText> GC/ZL-ALTROOT-TEST.zl-alt.test/zl.test<o:p></o:p></p>
<p class=MsoPlainText> HOST/ZL-ALTROOT-TEST.zl-alt.test/ZLALTTEST<o:p></o:p></p>
<p class=MsoPlainText> HOST/ZL-ALTROOT-TEST<o:p></o:p></p>
<p class=MsoPlainText> HOST/ZL-ALTROOT-TEST.zl-alt.test<o:p></o:p></p>
<p class=MsoPlainText> HOST/ZL-ALTROOT-TEST.zl-alt.test/zl-alt.test<o:p></o:p></p>
<p class=MsoPlainText> <o:p></o:p></p>
<p class=MsoPlainText>E3514235-4B06-11D1-AB04-00C04FC2DCD2/57379a03-4669-4b74-811b-97e3fdced92<o:p></o:p></p>
<p class=MsoPlainText>2/zl-alt.test<o:p></o:p></p>
<p class=MsoPlainText>
ldap/57379a03-4669-4b74-811b-97e3fdced922._msdcs.zl.test<o:p></o:p></p>
<p class=MsoPlainText> ldap/ZL-ALTROOT-TEST.zl-alt.test/ZLALTTEST<o:p></o:p></p>
<p class=MsoPlainText> ldap/ZL-ALTROOT-TEST<o:p></o:p></p>
<p class=MsoPlainText> ldap/ZL-ALTROOT-TEST.zl-alt.test<o:p></o:p></p>
<p class=MsoPlainText> ldap/ZL-ALTROOT-TEST.zl-alt.test/zl-alt.test<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>pcap attached.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>...Zach<o:p></o:p></p>
</div>
</body>
</html>