Problems with WinXP joining a Samba-head domain (and suggested
solutions)
Richard Sharpe
rsharpe at ns.aus.com
Wed Sep 11 18:44:00 GMT 2002
On Thu, 12 Sep 2002, Luke Howard wrote:
>
> Hi Richard,
>
> >2. Then, once this was fixed, WinXP still would not join. I needed to
> >switch off SignOrSeal as specified in the .reg file.
>
> Right, otherwise it will try and negotiate the Netlogon secure channel
> (or the "secure" Netlogon secure channel, depending on whose terminology
> you're using).
>
> Last time I looked, the secure channel bind PDU included the NetBIOS
> name, the workstation name, and the DNS domain name and host, which
> are presumably used by the server as a key to retrieve the session key
> previously negotiated by NetrReqChallenge() and NetrServerAuthenticate3().
> The session key is used to sign/seal the channel (roughly per
> draft-brezak-win2k-krb-rc4-hmac-04.txt). I didn't take note of how
> these were encoded (whether they were Unicode strings, etc).
Well, I see the NetBIOS name, wks name, DNS domain name, etc in the SPNEGO
negTokenTarg in the security BLOB. I have not noticed it in the BIND PDU.
I will have to go and look.
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org,
sharpe at ethereal.com
More information about the samba-technical
mailing list