[Samba] Samba4 KDC Windows 7 clients may fail to get a ticket

Andrew Bartlett abartlet at samba.org
Thu Oct 4 15:26:53 MDT 2012

On Wed, 2012-10-03 at 11:15 +0400, Dmitry Khromov wrote:
> On Wed, 03 Oct 2012 16:22:27 +1000
> Andrew Bartlett <abartlet at samba.org> wrote:
> > What happens when this error occurs?  Does something fail on the client?
> Error like "cannot establish domain trust" (sorry, it's in Russian) appears on logon screen when you try to log in using any credentials. The client don't even req KDC for user ticket.
> > Is this only shortly after a machine account password change, and
> > pending replication?  Does the client retry with the previous machine
> > account password?
> No, we hadn't touched these accounts for months already (and had joined Samba DC 5 days ago). By the way, XP stations (we have more XP's than Sevens) are unaffected.

WinXP won't use the AES password, so that's expected. 

The first guess I have is salting:  Can you get me a comparative network
trace between the Windows AD DC and the Samba4 AD DC?


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list