Draft #3: Re: [patch] net ads join rework
Gerald (Jerry) Carter
jerry at samba.org
Thu May 11 05:38:19 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 10 May 2006, Gerald (Jerry) Carter wrote:
> Here's some data points from a Win2k client join an Windows 2000
> AD domain.
>
> The HOST/shortname and HOST/fqdn SPN are added during the
> subsequent reboot after a join as is the dNSHostName.
> If the dNSHostName is outside the realm's DNS name,
> the AD DC throws a constraint error for the ldap modify.
> The client continues to attempt to create these principals
> during each reboot. And of course, with the SPN values,
> and TGS_REQ queries fail and so the SMBsesssetup falls
> back to NTLMSSP.
>
> Checking a WinXP client, I see the same LDAP modify
> request but withour the control
> (http://www.alvestrand.no/objectid/1.2.840.113556.1.4.1413.html)
> and the dNSHostName mod succeeds regardless of whether the
> domain matches the realm or not.
>
> I only see HOST/xxx being created and not CIFS/xxx. Was
> this something introduced in Windows 2003 ? I think I've
> asked this before but don't remember the answer.
I've tried with an XP client joining a CIFS domain and I still don't
see the CIFS/xxx SPN. Although I have seen an XP client use theis
principal name in the TGS_REQ prior ot an SMBsesssetup&X.
I'll search the archives since I know this has been answered before.
cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQFEYs3NIR7qMdg1EfYRAjKDAJ4+tEqKIjFfkntj0xxKAdAQ82OdfACfdz0i
el9545PgLo892qRB4zuPv6k=
=+2Y0
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list