Wnidows 2000 DC not returning a principal name in the first round of SPNEGO

Gerald (Jerry) Carter jerry at samba.org
Sat Feb 10 20:22:03 GMT 2007

Hash: SHA1

Gerald (Jerry) Carter wrote:
> Gerald (Jerry) Carter wrote:
>>> Anyone seen this before?  I'm seeing the same behavior in the
>>> negprot reply and the ldap sasl bind.
>>> And then when I request a TGS for ldap/fqdn at realm of the
>>> DC in a child domain (using the cross realm trust between
>>> the root domain and child) I get a "stream modified" error.
>>> Either of these ring a bell with anyone?
> Gah!  never mind.  I get the same krb5 error when trying to
> connect from an XP client join to the root domain.  This has
> got to be a Windows bug.  Time to reboor the DC and see if
> that makes any difference.

Another update.  The child domain has 2 DCs (both Windows 2000).
If one DC gets the TGS_REQ, it succeeds.  If the other gets
it, the request fails with the "stream modified" krb5 error.
And since the Windows 2003 DNS server round robins the DNS
records for _kerberos._tcp.<child domain>, this fails 50% of
the time.

So my guess is a replication failure happened somewhere in
the past.

* Move along.  Nothing to see here....

cheers, jerry
Samba                                    ------- http://www.samba.org
Centeris                         -----------  http://www.centeris.com
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba-technical mailing list