New approach to win2k joins...
Luke Howard
lukeh at PADL.COM
Sat Aug 10 05:09:38 GMT 2002
Last time I looked, Windows 2000 defines a number of different Kerberos
principal name types that needed to be supported by the KDC, eg.
KRB5_NT_MS_PRINCIPAL, KRB5_NT_ENTERPRISE_PRINCIPAL.
-- Luke
>From: "Jim McDonough" <jmcd at us.ibm.com>
>Subject: Re: New approach to win2k joins...
>To: Jean Francois Micouleau <Jean-Francois.Micouleau at dalalu.fr>
>Cc: samba-technical at samba.org
>Date: Mon, 5 Aug 2002 18:51:56 -0400
>
>
>>> But when I try to logon, it tries to use the short version of the domain
>as
>>> the realm...which my MIT KDC doesn't like. Any ideas here?
>>
>>when is it supposed to get the realm ? are you sure it's getting it
>>correctly ?
>I'm not sure exactly what your question is, but this is exactly how a win2k
><->win2k interaction is. If there is a short (netbios) domain name that
>shows up in the logon screen, that's what gets sent as the realm for the
>principal to the KDC...and the tgt that is returned has the full true realm
>name in the principal...!
>>do you have a trace of a user logging on the box ?
>I can give you this or the equivalent in win2k<->win2k, and you'll see the
>realm thing I'm talking about...
>
>
>----------------------------
>Jim McDonough
>IBM Linux Technology Center
>Samba Team
>6 Minuteman Drive
>Scarborough, ME 04074
>USA
>
>jmcd at us.ibm.com
>jmcd at samba.org
>
>Phone: (207) 885-5565
>IBM tie-line: 776-9984
>
>
>
--
Luke Howard | lukehoward.com
PADL Software | www.padl.com
More information about the samba-technical
mailing list