Kerberos/ADS and many groups
Matthew Geddes
musicalcarrion at gmail.com
Thu Dec 14 20:02:38 GMT 2006
Matthew Geddes wrote:
> Volker Lendecke wrote:
>
>> On Thu, Dec 14, 2006 at 11:25:18AM -0800, Matthew Geddes wrote:
>>
>>
>>> Any other suggestions?
>>>
>>
>>
>> Send the sniffs?
>>
>
> I'm working on that. I have a packet capture here generated by
> rpcclient -k DCNAME. I'm not on my network though -- it's a customer
> site, so I need to check with a few people first. The user accounts
> and ADS domains involved are all from test labs, but I don't think
> they'd see the funny side if I didn't ask first. ;-)
That was less painful than I thought. :-)
It's a tiny capture, so I've attached it, rather than pointing you at a
URL. Hope that's OK.
Here's how I got it:
- kinit user at REALM
- tcpdump -i eth0 -s 0 -w packets.cap host DCNAME
- rpcclient -k DCNAME
rpcclient failed with the same status code that 'net ads join' did:
SPNEGO login failed: NT_STATUS_INVALID_NETWORK_RESPONSE
thx,
Matt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: packets.cap
Type: application/octet-stream
Size: 7702 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20061214/96d409af/packets.obj
More information about the samba-technical
mailing list