Samba-3.0.7-1.3E Active Directory Issues
Doug VanLeuven
roamdad at sonic.net
Wed Oct 20 11:19:26 GMT 2004
Nalin Dahyabhai wrote:
>My experiments suggest that the servicePrincipalName is only used for
>retrieving the computer account's password. Once the computer's
>password is determined, the servicePrincipalName and dnsHostName values
>in the computer account entry seem to have no impact on the derivation
>of the key. The machine name and realm name appear to be the only
>values which influence things.
>
>
OK. In the KDC's ERR_PREAUTH_REQUIRED response to the initial AS-REQ
for the TGT, PA-ENCTYPE-INFO, Salt shows the KDC using
NT.LDXNET.COMhostlinx.nt.ldxnet.com instead of
NT.LDXNET.COMhostlinx.ldxnet.com.
>>It works to join a windows box to the REALM from outside the AD DNS
>>domain and have Kerberos work, it's just that since the
>>servicePrincipalName is only assigned on re-boot of the machine, a
>>security setting has to be changed to allow the re-booting machine to
>>pick it's own domain instead of being assigned one by the DC or
>>administrator.
>>
>>
>
>You've lost me here. Are you saying that a Windows host attempts to set
>(or reset) its servicePrincipalName values every time it's booted, and
>that there's a configuration flag somewhere on the server which needs to
>be toggled for this to be allowed?
>
>
Uncheck the box for "Change primary DNS suffix when domain membership
changes"
Join the w2k workstation to the domain
Shut down the computer.
Dump the entry for the workstation in the AD
dNSHostName and servicePrincipalName have not yet been created.
They will be created on the first boot of the w2k workstation after the
join.
Can't say if it would happen on subsequent boots.
To do this, the OU security requires SELF - "Read DNS Host name
attributes" and "Write DNS Host name attributes". Inheritance gives
this right to the computers in the OU.
There was a writeup from MS, but I can't find it anymore.
For my purposes, I needed to find out if there was some unknown issue
lurking to sandbag me after a production rollout and I now know there
isn't. It would be nice to join the REALM from a different DNS domain,
but I can live with that. I just wish it was better publicized along
with the consequences. I have half a mind to open a support incident
with MS.
Regards, Doug
More information about the samba-technical
mailing list