Problems with WinXP joining a Samba-head domain (and suggested solutions)

Richard Sharpe rsharpe at
Wed Sep 11 18:44:00 GMT 2002

On Thu, 12 Sep 2002, Luke Howard wrote:

> Hi Richard,
> >2. Then, once this was fixed, WinXP still would not join. I needed to 
> >switch off SignOrSeal as specified in the .reg file.
> Right, otherwise it will try and negotiate the Netlogon secure channel
> (or the "secure" Netlogon secure channel, depending on whose terminology
> you're using). 
> Last time I looked, the secure channel bind PDU included the NetBIOS
> name, the workstation name, and the DNS domain name and host, which 
> are presumably used by the server as a key to retrieve the session key
> previously negotiated by NetrReqChallenge() and NetrServerAuthenticate3().
> The session key is used to sign/seal the channel (roughly per 
> draft-brezak-win2k-krb-rc4-hmac-04.txt). I didn't take note of how
> these were encoded (whether they were Unicode strings, etc).

Well, I see the NetBIOS name, wks name, DNS domain name, etc in the SPNEGO 
negTokenTarg in the security BLOB. I have not noticed it in the BIND PDU. 
I will have to go and look.

Richard Sharpe, rsharpe at, rsharpe at, 
sharpe at

More information about the samba-technical mailing list