Draft #3: Re: [patch] net ads join rework
Gerald (Jerry) Carter
jerry at samba.org
Thu May 11 05:07:09 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Guenther Deschner wrote:
> At least those attributes are settable via LDAP post the
> rpc join when just binding with the machine account (no
> admin privs needed):
> dNSHostName: mthelena.ber.suse.de
> servicePrincipalName: CIFS/mthelena.ber.suse.de
> servicePrincipalName: HOST/mthelena.ber.suse.de
> servicePrincipalName: CIFS/mthelena
> servicePrincipalName: HOST/mthelena
> (note that you can't add the fqdn SPNs before the
> dNSHostName is set).
> remains only the UPN which neither the machine account
> nor the privileged user (not an admin) can change via LDAP.
Here's some data points from a Win2k client join an Windows 2000
The HOST/shortname and HOST/fqdn SPN are added during the
subsequent reboot after a join as is the dNSHostName.
If the dNSHostName is outside the realm's DNS name,
the AD DC throws a constraint error for the ldap modify.
The client continues to attempt to create these principals
during each reboot. And of course, with the SPN values,
and TGS_REQ queries fail and so the SMBsesssetup falls
back to NTLMSSP.
Checking a WinXP client, I see the same LDAP modify
request but withour the control
and the dNSHostName mod succeeds regardless of whether the
domain matches the realm or not.
I only see HOST/xxx being created and not CIFS/xxx. Was
this something introduced in Windows 2003 ? I think I've
asked this before but don't remember the answer.
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical