[Samba] Re: net rpc vampire - cannot login to migrated computer
accounts
Christoph Peus
cp at uni-wh.de
Tue Nov 15 12:26:00 GMT 2005
Andrew Bartlett wrote:
>>Yes, but what's the underlying technical cause for the cause? ;-)
>>It would be interesting to see how two identical XP-maschines would
>>differ after having joined the one to a NT4-Domain and the other to an
>>ADS domain. Which regkyes differ? Has somebody tried to make a "back to
>>NT4-Style trust" conversation tool for Win2k/XP-maschines?
>>Otherwise I have to search a solution now for the task of letting 500
>>clients rejoin the domain unattended/automatically somehow.
>
>
> So, back in the early days of Samba3, a new RPC (QueryInfoPolicy2 on
> lsarpc) was added, as we started to understand a bit more about ADS.
>
> The problem was, this was found to be the 'are you ADS' call, and seemed
> to create a rachet like mechanism. Being the silly boy I am, I was
> running early Samba 3.0 pre-release code in production, and I still have
> a lab of machines that I joined to that domain, while it was 'sort of
> ADS'. While in this case they still worked with Samba3, they would not
> honour the NT4 style system policies.
Ok, but knowing that samba-3 is not ADS capable regarding maschine
accounts I'm now looking for howto make an ADS capable Windows client
use NT4-Style, not how to make samba accept ADS-Style login attempts ;-)
> On the flip side, with Samba4 we can now really do ADS style logins, and
> we really support the new RPCs, LDAP, Kerberos (including the PAC) and
> all the rest...
You surely know that this is the type of statement which makes users ask
when a production ready version of samba 4 will be available... ;-)
Christoph
More information about the samba
mailing list