Wnidows 2000 DC not returning a principal name in the first
round of SPNEGO
Gerald (Jerry) Carter
jerry at samba.org
Sat Feb 10 20:22:03 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gerald (Jerry) Carter wrote:
> Gerald (Jerry) Carter wrote:
>>> Anyone seen this before? I'm seeing the same behavior in the
>>> negprot reply and the ldap sasl bind.
>>>
>>> And then when I request a TGS for ldap/fqdn at realm of the
>>> DC in a child domain (using the cross realm trust between
>>> the root domain and child) I get a "stream modified" error.
>>>
>>> Either of these ring a bell with anyone?
>
> Gah! never mind. I get the same krb5 error when trying to
> connect from an XP client join to the root domain. This has
> got to be a Windows bug. Time to reboor the DC and see if
> that makes any difference.
Another update. The child domain has 2 DCs (both Windows 2000).
If one DC gets the TGS_REQ, it succeeds. If the other gets
it, the request fails with the "stream modified" krb5 error.
And since the Windows 2003 DNS server round robins the DNS
records for _kerberos._tcp.<child domain>, this fails 50% of
the time.
So my guess is a replication failure happened somewhere in
the past.
* Move along. Nothing to see here....
cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFzilqIR7qMdg1EfYRAk9RAKC3QpxObe5n9lGhO3OOyVup5OQacgCgr2rW
grob4jnK+W3id4YlTn7grb4=
=dAMo
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list