Starting to look like Active Directory...

Andrew Bartlett abartlet at
Sun May 4 03:42:04 GMT 2003

Over the past few months, Samba 3.0 has started to look very much like
Active Directory to Win2k clients.

This has occurred so much so, that clients actively look our netbios
name up in DNS, for example. (resulting in even more addition silly load
on global root servers)

However, the problem I've noticed particularly is in getting a Win2k
domain to 'trust' us - as in the 'trusted domains' sense of the word. 
To do this, Win2k needs to join our domain, with a machine trust
account.  This is something that I've had in production with NT4 for
quite a while now, and it is something that we need to have working for
Samba 3.0 w/ Win2k.

The problem is this:  The win2k server makes a call to:
(from jmcd's CVS commit message)

> Add LSA RPC 0x2E, lsa_query_info2.  Only level implemented is 0x0c,
> which is netbios and dns domain info.  Also add code to set/fetch the
> domain GUID from secrets.tdb (although set is not yet called by
> anyone).

This is all well and good, but the original implementation used
'lp_realm()' to get the DNS name, which caused 'invalid paramter' errors
on the win2k client.  Now we return the real DNS domain name, but our
clients (and the domain I'm trying to get us to trust) now really think
we are AD, and start to lookup the magic names under our DNS domain

Having not found these names, the potentially trusting domain bombs

Where should we go from here?  Start disabling things, until it breaks
back into NT4 - but what do we loose by doing that?   Start providing an
example DNS zone file?

I would appreciate some thoughts on this matter.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list