[Samba] Re: net rpc vampire - cannot login to migrated computer accounts

Andrew Bartlett abartlet at samba.org
Mon Nov 14 22:52:34 GMT 2005

On Mon, 2005-11-14 at 11:59 +0100, Christoph Peus wrote:

> Yes, but what's the underlying technical cause for the cause? ;-)
> It would be interesting to see how two identical XP-maschines would 
> differ after having joined the one to a NT4-Domain and the other to an 
> ADS domain. Which regkyes differ? Has somebody tried to make a "back to 
> NT4-Style trust" conversation tool for Win2k/XP-maschines?
> Otherwise I have to search a solution now for the task of letting 500 
> clients rejoin the domain unattended/automatically somehow.

So, back in the early days of Samba3, a new RPC (QueryInfoPolicy2 on
lsarpc) was added, as we started to understand a bit more about ADS.  

The problem was, this was found to be the 'are you ADS' call, and seemed
to create a rachet like mechanism.  Being the silly boy I am, I was
running early Samba 3.0 pre-release code in production, and I still have
a lab of machines that I joined to that domain, while it was 'sort of
ADS'.  While in this case they still worked with Samba3, they would not
honour the NT4 style system policies.

It was a mess, and we quickly removed this call from Samba, so that we
would not over-state our capabilities.

On the flip side, with Samba4 we can now really do ADS style logins, and
we really support the new RPCs, LDAP, Kerberos (including the PAC) and
all the rest...

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20051115/44c7c9ce/attachment.bin

More information about the samba mailing list