Problems with WinXP joining a Samba-head domain (and suggested solutions)
lukeh at PADL.COM
Wed Sep 11 17:19:00 GMT 2002
>2. Then, once this was fixed, WinXP still would not join. I needed to
>switch off SignOrSeal as specified in the .reg file.
Right, otherwise it will try and negotiate the Netlogon secure channel
(or the "secure" Netlogon secure channel, depending on whose terminology
Last time I looked, the secure channel bind PDU included the NetBIOS
name, the workstation name, and the DNS domain name and host, which
are presumably used by the server as a key to retrieve the session key
previously negotiated by NetrReqChallenge() and NetrServerAuthenticate3().
The session key is used to sign/seal the channel (roughly per
draft-brezak-win2k-krb-rc4-hmac-04.txt). I didn't take note of how
these were encoded (whether they were Unicode strings, etc).
Let me know if you have any traces, as we'd like to implement this in
GSS-API (along with NTLMSSP). Of course, I could just turn SignOrSeal
back on and get some traces myself :-)
Luke Howard | lukehoward.com
PADL Software | www.padl.com
More information about the samba-technical