Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?

Joshua Hawkinson jhawkinson at
Mon Sep 27 14:06:33 MDT 2010

Yeah, I'm currently thinking that it may be best to put another check into ads_sasl_spnego_krb5_bind to check if the domain is writeable, and if not perform the gsskrb5 bind (much like the sasl / ldap wrapping conditional).  While it does lead to the DNS and clock sync sensitivity -- it is much better than a flat out failure.  I'm still reviewing the krb5 packages to see if MIT will ever set this field correctly. I've also noticed that there are others in this configuration complaining about samba servers dropping off the domain (which is the same end result here since we can bind against the RODC if we first gather a ticket from the writable DC -- so we see inconsistent results if you're not keeping a sharp eye)... at any rate we'll keep the list posted and update once the information gathering is complete.

Love,  Thank you very much for pointing out the difference there.  Hopefully it'll lead to a good fix for this!

Joshua Hawkinson  

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at] 
Sent: Monday, September 27, 2010 10:53 AM
To: Joshua Hawkinson
Cc: Love Hörnquist Åstrand; Bill Fellows; samba-technical at
Subject: RE: Modifications in Windows 2k8 R2 that prevent krb5 referal in RODC setup?

On Fri, 2010-09-24 at 16:04 -0700, Joshua Hawkinson wrote:
> Oops!
> s/LDAP signing/sasl signing/g

Yeah, the codepaths in Samba 3.x for SASL/GSSAPI and SASL/GSS-SPNEGO are very different when signing or sealing is enabled, which explains the difference here. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.

More information about the samba-technical mailing list