[xad] Re: Problems with WinXP joining a Samba-head domain (and suggested solutions)
Luke Kenneth Casson Leighton
lkcl at samba-tng.org
Wed Sep 11 18:30:01 GMT 2002
On Thu, Sep 12, 2002 at 03:47:19AM +1000, Luke Howard wrote:
> >Well, the interesting thing to me is that WinXP managed to join with
> >Sign/Seal enabled, but failed on the first logon attempt.
> At least with Windows 2000 joining Active Directory (which is what we're
> testing right now) the domain join doesn't seem to mind if the
> NetrServerAuthenticate() / NetrLogonGetDomainInfo() fails. As long
> as the LSA and SAM RPCs that are made over SMB succeed, the client
> thinks that it has joined.
yep - but if you got the password wrong [decrypted incorrectly,
stored the wrong way, munged etc.] then joining works fine
and then subsequent logon attempts fail.
also - it's possible to get things wrong in joining, have
a successful report "i joined!" and you only find out
_after_ the reboot...
> >> Last time I looked, the secure channel bind PDU included the NetBIOS
> >> name, the workstation name, and the DNS domain name and host, which
> >> are presumably used by the server as a key to retrieve the session key
> >> previously negotiated by NetrReqChallenge() and NetrServerAuthenticate3().
> >> The session key is used to sign/seal the channel (roughly per
> >> draft-brezak-win2k-krb-rc4-hmac-04.txt). I didn't take note of how
> It makes sense, and some of this is implemented in TNG (not sure whether
> it works or not).
yep, it does, up to the very first packet over the Schannel.
i never worked out the second verifier packet, so i could
create a signature on the first PDU but no others.
More information about the samba-technical