[xad] Re: Problems with WinXP joining a Samba-head domain (and suggested solutions)

[Luke Kenneth Casson Leighton]

On Thu, Sep 12, 2002 at 03:47:19AM +1000, Luke Howard wrote:
> 
> >Well, the interesting thing to me is that WinXP managed to join with 
> >Sign/Seal enabled, but failed on the first logon attempt.
> 
> At least with Windows 2000 joining Active Directory (which is what we're
> testing right now) the domain join doesn't seem to mind if the
> NetrServerAuthenticate() / NetrLogonGetDomainInfo() fails. As long
> as the LSA and SAM RPCs that are made over SMB succeed, the client
> thinks that it has joined. 
 
  yep - but if you got the password wrong [decrypted incorrectly,
  stored the wrong way, munged etc.] then joining works fine
  and then subsequent logon attempts fail.

  also - it's possible to get things wrong in joining, have
  a successful report "i joined!" and you only find out
  _after_ the reboot...

> >> Last time I looked, the secure channel bind PDU included the NetBIOS
> >> name, the workstation name, and the DNS domain name and host, which 
> >> are presumably used by the server as a key to retrieve the session key
> >> previously negotiated by NetrReqChallenge() and NetrServerAuthenticate3().

 yep.

> >> The session key is used to sign/seal the channel (roughly per 
> >> draft-brezak-win2k-krb-rc4-hmac-04.txt). I didn't take note of how
> 

yep.

> It makes sense, and some of this is implemented in TNG (not sure whether

 yep.

> it works or not). 

 yep, it does, up to the very first packet over the Schannel.

 i never worked out the second verifier packet, so i could
 create a signature on the first PDU but no others.