[Samba] Windows Remote Assistance fails
Andrew Bartlett
abartlet at samba.org
Tue Jan 6 19:12:16 MST 2015
On Mon, 2015-01-05 at 16:18 -0500, Ryan Bair wrote:
> I attempted to set up unsolicited remote assistance via group policy, but
> connections to the client machines fail.
>
> A network trace show the 'expert' machine doing a TGS-REQ to the DC which
> responds with a KRB5KDC_ERR_POLICY. This seems to be the origin of the
> problem.
>
> I noticed in the request, the username of the 'novice' is given as the
> Server Name but is otherwise pretty unremarkable.
>
> Has anyone successfully gotten this working on a Samba4 AD domain?
Try giving the user an SPN. That should make it work.
I need to work out what the right clue is in AD to enable an account as
a server, without an SPN, as otherwise we would allow offline attacks on
the user (rather than machine, which should be more complex) passwords.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list