Draft #3: Re: [patch] net ads join rework

Gerald (Jerry) Carter jerry at samba.org
Thu May 11 05:07:09 GMT 2006

Hash: SHA1

Guenther Deschner wrote:

> At least those attributes are settable via LDAP post the 
> rpc join when just binding with the machine account (no
> admin privs needed):
> dNSHostName: mthelena.ber.suse.de
> servicePrincipalName: CIFS/mthelena.ber.suse.de
> servicePrincipalName: HOST/mthelena.ber.suse.de
> servicePrincipalName: CIFS/mthelena
> servicePrincipalName: HOST/mthelena
> (note that you can't add the fqdn SPNs before the 
> dNSHostName is set).
> remains only the UPN which neither the machine account 
> nor the privileged user (not an admin) can change via LDAP.

Here's some data points from a Win2k client join an Windows 2000
AD domain.

The HOST/shortname and HOST/fqdn SPN are added during the
subsequent reboot after a join as is the dNSHostName.
If the dNSHostName is outside the realm's DNS name,
the AD DC throws a constraint error for the ldap modify.
The client continues to attempt to create these principals
during each reboot.  And of course, with the SPN values,
and TGS_REQ queries fail and so the SMBsesssetup falls
back to NTLMSSP.

Checking a WinXP client, I see the same LDAP modify
request but withour the control
and the dNSHostName mod succeeds regardless of whether the
domain matches the realm or not.

I only see HOST/xxx being created and not CIFS/xxx.  Was
this something introduced in Windows 2003 ?  I think I've
asked this before but don't remember the answer.

cheers, jerry
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org


More information about the samba-technical mailing list