Problems with WinXP joining a Samba-head domain (and suggested solutions)

Luke Howard lukeh at PADL.COM
Wed Sep 11 17:19:00 GMT 2002

Hi Richard,

>2. Then, once this was fixed, WinXP still would not join. I needed to 
>switch off SignOrSeal as specified in the .reg file.

Right, otherwise it will try and negotiate the Netlogon secure channel
(or the "secure" Netlogon secure channel, depending on whose terminology
you're using). 

Last time I looked, the secure channel bind PDU included the NetBIOS
name, the workstation name, and the DNS domain name and host, which 
are presumably used by the server as a key to retrieve the session key
previously negotiated by NetrReqChallenge() and NetrServerAuthenticate3().
The session key is used to sign/seal the channel (roughly per 
draft-brezak-win2k-krb-rc4-hmac-04.txt). I didn't take note of how
these were encoded (whether they were Unicode strings, etc).

Let me know if you have any traces, as we'd like to implement this in
GSS-API (along with NTLMSSP). Of course, I could just turn SignOrSeal
back on and get some traces myself :-)


-- Luke

Luke Howard |
PADL Software |

More information about the samba-technical mailing list