samba4 and vista SP1 member

Andrew Bartlett abartlet at
Mon Mar 24 23:56:08 GMT 2008

On Sun, 2008-03-23 at 21:32 -0400, Stephen Roylance wrote:
> Scott Lovenberg wrote:
> > Stephen Roylance wrote:
> >> Scott Lovenberg wrote:
> >>> Stephen Roylance wrote:
> >>>> I upgraded my vista system to SP1 and it seems my domain membership 
> >>>> with samba4 has broken.  I unjoined the system from the domain and 
> >>>> am unable to rejoin.
> >>>> I have debug level 5 logs from the time around the rejoin, the only 
> >>>> indications of failure I see are a few instances of these two lines:
> >>>> Kerberos: Failed to decrypt enc-authorization-data
> >>>> Kerberos: Failed parsing TGS-REQ from
> >>>>
> >>>> Any advice appreciated.
> >>>> -Steve
> >>>>
> >>>>
> >>>>
> >>>
> >>> Did it create a new SID?
> >>>
> >> I deleted the machine account with phpldapadmin, the attempted join 
> >> process did not create a new one.
> >>
> > Arg.  I assume your clocks are synced up to within a tolerable amount 
> > (I don't know if SP1 changes time server settings or anything - I've 
> > not yet had the pleasure of supporting it ;) ) of time for krb?  Just 
> > a knee-jerk reaction, but I always overlook the simple stuff, personally.
> When the machine was joined correctly it looked like it was doing NTP 
> with the DC, but that doesn't seem to be working anymore.  I got it 
> synchronized within a few seconds manually.

For Samba4 to provide an NTP service we need to patch NTP, and then make
it link across to our long term secrets database.  

The crypto Microsoft uses here is hideous - the NTP server either needs
to call us to compute the MD5 of (part of) the packet with the machine
password, or we need to expose all our machine passwords to NTP...

There is (apparently) a patch in the SuSE NTP SRPM for a plugin layer,
that was added for XAD, so if someone wants to take this on, it would be
the place to start. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list