w2k join/logon

Andrew Bartlett abartlet at samba.org
Tue Dec 13 16:14:19 GMT 2005

On Tue, 2005-12-13 at 21:41 +1100, tridge at samba.org wrote:
> Andrew,
>  > I'll keep looking at it, unless Andrew Bartlett works it out first :-)
> Looking at it a bit more, it looks like we rely on the client doing a
> LDAP modify to add the servicePrincipalName itself. WinXP does this
> (after checking if it needed by looking for an existing
> servicePrincipalName), so it works fine, but win2000 doesn't do this,
> which breaks a kerberos join.
> Any comments on where we should add this? The obvious places are in
> dsdb/samdb or in the hdb-ldb backend. Do you have a preference?

If win2000 operates in an AD domain without a servicePrincipalName, then
we need to add logic to our cracknames code, so that when we lookup by
SPN we find the account.  We should also allow it to be a server
(currently only accounts with an SPN can be a server) if it is a
machine/workstation trust account.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051213/dd05e5ba/attachment.bin

More information about the samba-technical mailing list