[cifs-protocol] cifs/ SPN not accepted in certain scenarios

Zachary Loafman zachary.loafman at isilon.com
Fri Aug 28 10:18:14 MDT 2009 

We stumbled across a rather odd behavior related to non-forest-root
tree-root domains. Can you help explain/document this behavior?

I've attached a short pcap showing the start of an XP machine joining a
2k8 tree-root. Here's the setup:

*) I have a Win2k8 DC at 10.54.139.240 for the zl.test domain, which is
the forest root for this forest. This domain is only once contacted
during the capture, but if you're setting up a similar environment,
you'll need it.

*) I have another Win2k8 DC at 10.54.139.241 for the zl-alt.test domain
(ZL-ALTROOT-TEST.zl-alt.test). This domain was configured as an
alternate root within the same forest using the "advanced" settings in
the dcpromo wizard (but is otherwise the standard configuration from
that wizard).

*) I have an XP client whose DNS is set to 10.54.139.241 prior to the
join.

For whatever reason, the alternate root DC will not accept a TGS-REQ for
cifs/ZL-ALTROOT-TEST.zl-alt.test. In this pcap, the XP join then falls
back to NTLM. This is fine, but kind of dumb - there should be no need
to fall back to NTLM.

The zl-alt.test DC *will* accept a TGS-REQ for
HOST/ZL-ALTROOT-TEST.zl-alt.test. That's the curious part. 

In case it helps, here's a setspn -L on the altroot:

C:\Users\Administrator>setspn -L ZL-ALTROOT-TEST
Registered ServicePrincipalNames for CN=ZL-ALTROOT-TEST,OU=Domain
Controllers,DC=zl-alt,DC=test:
        ldap/ZL-ALTROOT-TEST.zl-alt.test/ForestDnsZones.zl.test
 
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ZL-ALTROOT-TEST.zl-alt.test
        DNS/ZL-ALTROOT-TEST.zl-alt.test
        GC/ZL-ALTROOT-TEST.zl-alt.test/zl.test
        HOST/ZL-ALTROOT-TEST.zl-alt.test/ZLALTTEST
        HOST/ZL-ALTROOT-TEST
        HOST/ZL-ALTROOT-TEST.zl-alt.test
        HOST/ZL-ALTROOT-TEST.zl-alt.test/zl-alt.test
 
E3514235-4B06-11D1-AB04-00C04FC2DCD2/57379a03-4669-4b74-811b-97e3fdced92
2/zl-alt.test
        ldap/57379a03-4669-4b74-811b-97e3fdced922._msdcs.zl.test
        ldap/ZL-ALTROOT-TEST.zl-alt.test/ZLALTTEST
        ldap/ZL-ALTROOT-TEST
        ldap/ZL-ALTROOT-TEST.zl-alt.test
        ldap/ZL-ALTROOT-TEST.zl-alt.test/zl-alt.test

pcap attached.

...Zach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2k8-tree-join-xp-snipped.pcap
Type: application/octet-stream
Size: 13127 bytes
Desc: 2k8-tree-join-xp-snipped.pcap
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090828/30179ad6/attachment-0001.obj>

More information about the cifs-protocol mailing list