Windows 2008 Interop fixes

Todd Stecher todd.stecher at isilon.com
Mon Aug 13 23:37:45 GMT 2007


Sorry this took so long - fishing, vacation, and work crisis all  
delayed this.  As it sits, I still need to test the below a bit more,  
but my W2008 environment has gone haywire.

Rather than delay an extra day, I figured I'd get this out for review  
so I can incorporate feedback into my testing.  A version of this fix  
(which matches the Isilon code base) has been well tested in NT4, and  
W2003 / w2000 domains.

Basically, this boils down to accommodating changes in the SPNEGO  
protocol, which no longer returns valid principals in the  
NegTokenInit, and changes when negotiating  Netlogon secure channel  
flags.  Thanks to Wanon, Volker, Andrew, metze and others for helping  
me along the way.  I expect a "final" version to be posted some time  
in the next couple of days (unless there's another emergency which  
arises in my unpredictable life).

I had to tweak things somewhat to fit into the 3_0_release branch, as  
our code is always a release or 2 behind - this really boils down to  
creating a new function, translate_name(), to convert from a "short  
name" domain name to a FQDN - the FQDN is required to get Kerberos  
authentication working, rather than fall back on NTLM anytime we see  
a bogus principal in the NegTokenInit.


Thanks!
Todd



Todd Stecher | Windows Interop Dev
Isilon Systems    P +1-206-315-7500     F  +1-206-315-7501
www.isilon.com    D +1-206-315-7638    M +1-425-205-1180





More information about the samba-technical mailing list