problem accessing domain-based DFS with kerberos auth
Alexander Bokovoy
ab at samba.org
Wed Jan 11 14:36:34 UTC 2017
On ke, 11 tammi 2017, Aurélien Aptel wrote:
> Hi Stefan,
>
> Stefan Metzmacher <metze at samba.org> writes:
> > Can you make a capture of everything the (windows) client does starting
> > with the boot
> > from the bios.
>
> http://diobla.info/tmp/win-domain-dfs.pcapng
>
> When capturing earlier like this I can indeed see more DNS and LDAP
> queries. It might be from one of them.
Windows client does CLDAP ping
(https://msdn.microsoft.com/en-us/library/cc223811.aspx) with filter
(&(&(&(DnsDomain=ForestDnsZones.suse.de)(Host=IE11WIN8_1))(NtVer=0x20000016))(DnsHostName=IE11Win8_1.suse.de))
and gets a response with a DC hostname of WS2016.suse.de:
NtVer=0x2000016 means VCS bit is set (client has asked for the closest
site information), so DC returns this information as part of V5Ex
response.
See https://msdn.microsoft.com/en-us/library/cc223813.aspx for details
of the algorithm on the server side.
I guess it then uses the DC hostname for further communications after it
got the closest site's DC data in CLDAP ping response.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list