Draft #3: Re: [patch] net ads join rework

Gerald (Jerry) Carter jerry at samba.org
Thu May 11 05:38:19 GMT 2006

Hash: SHA1

On Wed, 10 May 2006, Gerald (Jerry) Carter wrote:

> Here's some data points from a Win2k client join an Windows 2000
> AD domain.
> The HOST/shortname and HOST/fqdn SPN are added during the
> subsequent reboot after a join as is the dNSHostName.
> If the dNSHostName is outside the realm's DNS name,
> the AD DC throws a constraint error for the ldap modify.
> The client continues to attempt to create these principals
> during each reboot.  And of course, with the SPN values,
> and TGS_REQ queries fail and so the SMBsesssetup falls
> back to NTLMSSP.
> Checking a WinXP client, I see the same LDAP modify
> request but withour the control
> (http://www.alvestrand.no/objectid/1.2.840.113556.1.4.1413.html)
> and the dNSHostName mod succeeds regardless of whether the
> domain matches the realm or not.
> I only see HOST/xxx being created and not CIFS/xxx.  Was
> this something introduced in Windows 2003 ?  I think I've
> asked this before but don't remember the answer.

I've tried with an XP client joining a CIFS domain and I still don't
see the CIFS/xxx SPN.  Although I have seen an XP client use theis 
principal name in the TGS_REQ prior ot an SMBsesssetup&X.
I'll search the archives since I know this has been answered before.

cheers, jerry
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/


More information about the samba-technical mailing list