[Samba] Windows Remote Assistance fails

Andrew Bartlett abartlet at samba.org
Tue Jan 6 19:12:16 MST 2015

On Mon, 2015-01-05 at 16:18 -0500, Ryan Bair wrote:
> I attempted to set up unsolicited remote assistance via group policy, but
> connections to the client machines fail.
> A network trace show the 'expert' machine doing a TGS-REQ to the DC which
> responds with a KRB5KDC_ERR_POLICY. This seems to be the origin of the
> problem.
> I noticed in the request, the username of the 'novice' is given as the
> Server Name but is otherwise pretty unremarkable.
> Has anyone successfully gotten this working on a Samba4 AD domain?

Try giving the user an SPN.  That should make it work.   

I need to work out what the right clue is in AD to enable an account as
a server, without an SPN, as otherwise we would allow offline attacks on
the user (rather than machine, which should be more complex) passwords. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list