samba 4 TP3 and Windows SSPI
Joshua Masiko
geniedren at gmail.com
Thu Nov 9 14:33:10 GMT 2006
DsWriteAccountSpn allows you to de-couple the way the client connects from
the account the server is running under
it basically maps a service principal name to the server account such that
in InitializeSecurityContext the client can specify the SPN as the target
without knowing the account under which the server is running. Details are
on MSDN online.
Which brings me to another problem.
When running the server under any domain account other than
localsystem(e.gjoshua) InitializeSecurityContext fails. A look at the
Samba log shows
Kerberos: Principal may not act as server -- joshua at YOUR.REALM
Runnning the server under the localsystem account works since it uses the
machine account and one can use DOMAIN\machinename$ as the target in
InitializeSecurityContext.
On 11/9/06, Andrew Bartlett <abartlet at samba.org> wrote:
>
> On Wed, 2006-11-08 at 17:56 +0300, Joshua Masiko wrote:
> > Using DsWriteAccountSpn on a domain account fails. Samba verbose log
> says:
> >
> > dcerpc fault in call drsuapi:0d DCERPC_FAULT_OP_RNG_ERROR.
> >
> > Does that mean it's not implemented
>
> Yes, it means it's not implemented. I'm happy to look at implementing
> it however.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Samba Developer, Red Hat Inc. http://redhat.com
>
>
>
More information about the samba-technical
mailing list