w2k join/logon

tridge at samba.org tridge at samba.org
Thu Dec 15 22:57:06 GMT 2005 

Metze and Andrew,

 > I would say just do what w2k3 does, when a w2k machine joins

It looks like w2k3 does not auto-create a servicePrincipalName
attribute. I tested by modifying our net join code to skip the SPN
creation, and checked the resulting account - it did not have a SPN.

So, if we want to do the same, we'd need to fix the following places:

cracknames: this one is messy. Metze, can you have a look at that? I
            really don't follow the logic in the cracknames code. I'm
            guessing we need to extend LDB_lookup_spn_alias() to allow
            for no SPN, and create a fake one on the fly.

hdb-ldb: it seems the only reason we need a SPN here is for the
  	 following:

 	if (lp_parm_bool(-1, "kdc", "require spn for service", True)) {
		if (!ldb_msg_find_string(msg, "servicePrincipalName", NULL)) {
			ent->flags.server = 0;
		}
	}
        
        Andrew, why does this boolean default to true? We don't seem
        to actually look at the SPN in the hdb-ldb code, we just check
        it exists, and by default fail if it doesn't. What is the
        reasoning behind that?  ..... chat on irc .... ok, so this is
        set to True by default to prevent people trying lots of
        passwords on user accounts.

The only other place we use it is in this code in hdb-ldb.c:

		filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(|(|(samAccountName=%s)(servicePrincipalName=%s))(userPrincipalName=%s)))", 
					 short_princ_talloc, short_princ_talloc, princ_str_talloc);

which (by virtue of the | parts of the expression) allows for either a
'samAccountName' or a 'servicePrincipalName'.


Just setting "kdc:require spn for service = False" gets us a lot
further, as it allows hdb-ldb to continue, but the cracknames still
fails, resulting in:

  LDB_lookup_spn_alias: no alias for service host applicable

so if we can fix cracknames then I think we will be OK with win2000
members.

I still don't know why the join is slow however. That will take more
tracking down using comparitive sniffs next week (I'm away this
weekend).

Cheers, Tridge

More information about the samba-technical mailing list