Andrew,
I noticed the attachment had not gone through on this previous mail so here it
is. Please let me know if you have any further feedback. If I don't hear from
you by Monday, July 14, 2009 I will go ahead and archive this issue.
Richard Guthrie
Support Escalation Engineer
Open Protocols Support Team
http://blogs.msdn.com/OpenSpecification
Tel: +1 (469) 775-7794
E-mail: [email protected]
-----Original Message-----
From: Richard Guthrie
Sent: Tuesday, June 30, 2009 3:44 PM
To: 'Andrew Bartlett'
Cc: [email protected]; [email protected]
Subject: RE: [cifs-protocol] RE: How is a krb5 request to cifs/my.realm handled?
Andrew,
Attached is the last email that I have regarding this subject. A new case,
SRX090630600140, has been created for this issue to continue working. I
believe this knowledge base article, http://support.microsoft.com/kb/842162,
discusses some relevant details about the implementation of sysvol in its
discussion of how to relocate the actual folder mapping.
It sounds like though, that you might still be having an issue on the KDC side
of the house. This link on technet
http://technet.microsoft.com/en-us/library/cc782417(WS.10).aspx (Section: How
DFS Is Used During the Logon Process), I believe has the information you are
looking for, and goes into great depth on how the client downloads policies
from the domain using DFS which is the means to retrieve group policy.
Please let us know if you have further questions regarding this issue.
Richard Guthrie
Support Escalation Engineer
Open Protocols Support Team
http://blogs.msdn.com/OpenSpecification
Tel: +1 (469) 775-7794
E-mail: [email protected]
-----Original Message-----
From: Andrew Bartlett [mailto:[email protected]]
Sent: Tuesday, June 30, 2009 5:08 AM
To: Richard Guthrie
Cc: [email protected]; [email protected]
Subject: Re: [cifs-protocol] RE: How is a krb5 request to cifs/my.realm handled?
On Sun, 2008-12-14 at 18:52 -0800, Richard Guthrie wrote:
> Andrew,
>
> Thanks for the question. I will create a case for this shortly and an
> engineer will get in touch with you to begin working this issue.
>
> Richard Guthrie
> Escalation Engineer
>
> ________________________________________
> From: Andrew Bartlett [[email protected]]
> Sent: Sunday, December 14, 2008 7:10 PM
> To: Interoperability Documentation Help
> Cc: [email protected]; [email protected]
> Subject: How is a krb5 request to cifs/my.realm handled?
>
> A number of our users are having trouble with group policy in Samba4,
> and it seems that their clients (WinXP, Vista) look for their group
> policy information in //my.realm/sysvol
>
> This name resolves in DNS, but we don't currently have a mapping for
> it in our KDC, because I don't know, if I were to create a mixed
> Microsoft/Samba4 domain what key this would resolve to.
>
> Given that it must be shared between all domain controllers, is this
> somehow mapped to krbtgt/my.realm? Is DNS/my.realm also handled this
> way?
>
> (In the meantime it would of course be trivial to add such a mapping,
> but I want to solve this properly)
Has there been any progress on this?
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
--- Begin Message ---
-----Original Message-----
From: Richard Guthrie
Sent: Monday, December 29, 2008 8:27 AM
To: Andrew Bartlett
Cc: Son Nguyen; Nick Meier
Subject: RE: capture of group policy attempt
Andrew/Son,
We have reviewed the trace that was attached. We will refer to IP
192.168.9.131 as CLIENT and IP 192.168.9.135 as SERVER. Is the SPN for the
SERVER in the ticket request correct in frame 45? It would appear that
Kerberos is working because the encrypted LDAP request in frames 17-34 is
succeeding with an SPN of ldap/dcson1.ce.saigontech.info.vn for that ticket.
With regards to group policy, I don't see the request to sysvol in this trace.
I see CLIENT does SMB Tree Connect to \\CE.SAIGONTECH.INFO.VN\IPC$ using NTLM
SSPNegotiate which looks to succeed. IPC$ is not the share used to download
group policy however. You should see a connection via SMB to
\\<DOMAIN_CONTROLLER>\sysvol.
It would appear there is a problem with the client retrieving the correct SPNs
but that is not 100% clear from this trace. To resolve further we would
probably need to see the conversation from the client booting up and logging
in. If you want to pursue that direction let us know and we can provide a more
detailed action plan. From our previous conversation here is some background
information (both normative and informative) on how a windows client retrieves
group policy:
Normative References
MS-GPOL - 1.3.3.1 Server Discovery and Group Policy Object Association
MS-GPOL - 1.3.3.2 GPO Retrieval
MS-GPOL - 4.x Examples
MS-NRPC - 3.4.3 Initialization
Informative References
http://technet.microsoft.com/en-us/library/cc758898.aspx - Group Policy
Processing
http://support.microsoft.com/kb/842162 - How to relocate the SYSVOL tree on a
domain controller that is running Windows 2000 Server or Windows Server 2003
http://support.microsoft.com/kb/315457 - How to rebuild the SYSVOL tree and its
content in a domain
http://support.microsoft.com/kb/910206 - How to troubleshoot Group Policy
object processing failures that occur across multiple forests
http://technet.microsoft.com/en-us/library/cc787386.aspx - Troubleshooting
Group Policy Problems
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en
- Group Policy Management Console
Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail: [email protected]
-----Original Message-----
From: Andrew Bartlett [mailto:[email protected]]
Sent: Tuesday, December 16, 2008 5:49 PM
To: Richard Guthrie
Cc: Son Nguyen
Subject: capture of group policy attempt
Richard,
Per our call this morning, this is the capture from Son Nguyen
<[email protected]> of an attempt to download group policies from Samba.
Note the attempt to use cifs/<realm> as the principal name.
I think the issue here is that we have a very poor implementation of the
GetDCName calls in our netlogon server, and if we fix that, we might fix this
too, but any advise you can give would be most appreciated.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
--- End Message ---
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
