[Samba] Re: net rpc vampire - cannot login to migrated computer accounts

Christoph Peus cp at uni-wh.de
Tue Nov 15 12:26:00 GMT 2005

Andrew Bartlett wrote:

>>Yes, but what's the underlying technical cause for the cause? ;-)
>>It would be interesting to see how two identical XP-maschines would 
>>differ after having joined the one to a NT4-Domain and the other to an 
>>ADS domain. Which regkyes differ? Has somebody tried to make a "back to 
>>NT4-Style trust" conversation tool for Win2k/XP-maschines?
>>Otherwise I have to search a solution now for the task of letting 500 
>>clients rejoin the domain unattended/automatically somehow.
> So, back in the early days of Samba3, a new RPC (QueryInfoPolicy2 on
> lsarpc) was added, as we started to understand a bit more about ADS.  
> The problem was, this was found to be the 'are you ADS' call, and seemed
> to create a rachet like mechanism.  Being the silly boy I am, I was
> running early Samba 3.0 pre-release code in production, and I still have
> a lab of machines that I joined to that domain, while it was 'sort of
> ADS'.  While in this case they still worked with Samba3, they would not
> honour the NT4 style system policies.

Ok, but knowing that samba-3 is not ADS capable regarding maschine 
accounts I'm now looking for howto make an ADS capable Windows client 
use NT4-Style, not how to make samba accept ADS-Style login attempts ;-)

> On the flip side, with Samba4 we can now really do ADS style logins, and
> we really support the new RPCs, LDAP, Kerberos (including the PAC) and
> all the rest...

You surely know that this is the type of statement which makes users ask 
when a production ready version of samba 4 will be available...  ;-)


More information about the samba mailing list