w2k join/logon
tridge at samba.org
tridge at samba.org
Thu Dec 15 22:57:06 GMT 2005
Metze and Andrew,
> I would say just do what w2k3 does, when a w2k machine joins
It looks like w2k3 does not auto-create a servicePrincipalName
attribute. I tested by modifying our net join code to skip the SPN
creation, and checked the resulting account - it did not have a SPN.
So, if we want to do the same, we'd need to fix the following places:
cracknames: this one is messy. Metze, can you have a look at that? I
really don't follow the logic in the cracknames code. I'm
guessing we need to extend LDB_lookup_spn_alias() to allow
for no SPN, and create a fake one on the fly.
hdb-ldb: it seems the only reason we need a SPN here is for the
following:
if (lp_parm_bool(-1, "kdc", "require spn for service", True)) {
if (!ldb_msg_find_string(msg, "servicePrincipalName", NULL)) {
ent->flags.server = 0;
}
}
Andrew, why does this boolean default to true? We don't seem
to actually look at the SPN in the hdb-ldb code, we just check
it exists, and by default fail if it doesn't. What is the
reasoning behind that? ..... chat on irc .... ok, so this is
set to True by default to prevent people trying lots of
passwords on user accounts.
The only other place we use it is in this code in hdb-ldb.c:
filter = talloc_asprintf(mem_ctx, "(&(objectClass=user)(|(|(samAccountName=%s)(servicePrincipalName=%s))(userPrincipalName=%s)))",
short_princ_talloc, short_princ_talloc, princ_str_talloc);
which (by virtue of the | parts of the expression) allows for either a
'samAccountName' or a 'servicePrincipalName'.
Just setting "kdc:require spn for service = False" gets us a lot
further, as it allows hdb-ldb to continue, but the cracknames still
fails, resulting in:
LDB_lookup_spn_alias: no alias for service host applicable
so if we can fix cracknames then I think we will be OK with win2000
members.
I still don't know why the join is slow however. That will take more
tracking down using comparitive sniffs next week (I'm away this
weekend).
Cheers, Tridge
More information about the samba-technical
mailing list