msdfs and AD troubles
Jeremy Allison
jra at samba.org
Fri Apr 13 18:42:58 GMT 2007
On Fri, Apr 13, 2007 at 01:49:27PM -0400, Jim McDonough wrote:
> Jerry, here are two captures of what I mentioned earlier. Basically, when
> kerberos authentication happens (I've connected to a server using its own
> netbios name, the one that was used during join), the q_path_info (frame 73)
> does not have the dfs bit on in flags2. When we fall back to ntlm (I
> connect to the same server using a netbios alias which does not have an spn
> in AD, so the TGS_REQ fails, not because the user's prinicpal is wrong, but
> because the server's principal is unknown), the q_path_info (frame 71) has
> the dfs bit on. My DC is 2k3, client is 2k pro.
>
> What I'm wondering is do we have to have some other missing piece in for
> AD.
What version of the server are you using here ? I know you're not
using current SAMBA_3_0_25 'cos the client is requesting an extended
tconX response in frame 42 in the dfs-krb5.cap and the server is not
responding with the 7 word response. I fixed that for 3.0.25rc1.
This may matter.
Jeremy.
More information about the samba-technical
mailing list