Starting to look like Active Directory...

Anthony Liguori aliguor at
Mon May 5 18:09:02 GMT 2003

This is where CLDAP is going to help us.  The first DNS entry that I 
imagine it looks for (correct me if I'm wrong) is 
_ldap._tcp.dc.msdcs.domain which is actually for a UDP netlogon mail slot 
query over LDAP.  The response to this query has a capabilities field 
where we can selectively turn off ADS stuff (see include/ads.h ADS_* for a 
list of capabilities that we can toggle on/off).

We had previously sent out a patch that added support for these queries to 
nmbd but now we're doing it terms of OpenLDAP (see this list archives for 
probably middle of August).

At any rate, if you join via netbios domain name instead of dns domain 
name, you'll avoid the CLDAP queries (from the Windows client end).

Anthony Liguori
Linux/Active Directory Interoperability
Linux Technology Center (LTC) - IBM Austin
E-mail: aliguor at
Phone: (512) 838-1208
Tie Line: 678-1208

Andrew Bartlett <abartlet at>
Sent by: at
05/03/2003 10:42 PM

        To:     Multiple recipients of list SAMBA-TECHNICAL <samba-technical at>
        Subject:        Starting to look like Active Directory... 

Over the past few months, Samba 3.0 has started to look very much like
Active Directory to Win2k clients.

This has occurred so much so, that clients actively look our netbios
name up in DNS, for example. (resulting in even more addition silly load
on global root servers)

However, the problem I've noticed particularly is in getting a Win2k
domain to 'trust' us - as in the 'trusted domains' sense of the word.
To do this, Win2k needs to join our domain, with a machine trust
account.  This is something that I've had in production with NT4 for
quite a while now, and it is something that we need to have working for
Samba 3.0 w/ Win2k.

The problem is this:  The win2k server makes a call to:
(from jmcd's CVS commit message)

> Add LSA RPC 0x2E, lsa_query_info2.  Only level implemented is 0x0c,
> which is netbios and dns domain info.  Also add code to set/fetch the
> domain GUID from secrets.tdb (although set is not yet called by
> anyone).

This is all well and good, but the original implementation used
'lp_realm()' to get the DNS name, which caused 'invalid paramter' errors
on the win2k client.  Now we return the real DNS domain name, but our
clients (and the domain I'm trying to get us to trust) now really think
we are AD, and start to lookup the magic names under our DNS domain

Having not found these names, the potentially trusting domain bombs

Where should we go from here?  Start disabling things, until it breaks
back into NT4 - but what do we loose by doing that?   Start providing an
example DNS zone file?

I would appreciate some thoughts on this matter.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

#### signature.asc has been removed from this note on May 05, 2003 by 
Anthony Liguori

More information about the samba-technical mailing list