Hi Zachary, I will be investigating this case and will update you as soon as I have news.
Best regards, Edgar A. Olougouna Sr. SEE, Microsoft DSC Protocol Team -----Original Message----- From: Zachary Loafman [mailto:[email protected]] Sent: Friday, August 28, 2009 11:18 AM To: Interoperability Documentation Help Cc: [email protected]; [email protected] Subject: cifs/ SPN not accepted in certain scenarios We stumbled across a rather odd behavior related to non-forest-root tree-root domains. Can you help explain/document this behavior? I've attached a short pcap showing the start of an XP machine joining a 2k8 tree-root. Here's the setup: *) I have a Win2k8 DC at 10.54.139.240 for the zl.test domain, which is the forest root for this forest. This domain is only once contacted during the capture, but if you're setting up a similar environment, you'll need it. *) I have another Win2k8 DC at 10.54.139.241 for the zl-alt.test domain (ZL-ALTROOT-TEST.zl-alt.test). This domain was configured as an alternate root within the same forest using the "advanced" settings in the dcpromo wizard (but is otherwise the standard configuration from that wizard). *) I have an XP client whose DNS is set to 10.54.139.241 prior to the join. For whatever reason, the alternate root DC will not accept a TGS-REQ for cifs/ZL-ALTROOT-TEST.zl-alt.test. In this pcap, the XP join then falls back to NTLM. This is fine, but kind of dumb - there should be no need to fall back to NTLM. The zl-alt.test DC *will* accept a TGS-REQ for HOST/ZL-ALTROOT-TEST.zl-alt.test. That's the curious part. In case it helps, here's a setspn -L on the altroot: C:\Users\Administrator>setspn -L ZL-ALTROOT-TEST Registered ServicePrincipalNames for CN=ZL-ALTROOT-TEST,OU=Domain Controllers,DC=zl-alt,DC=test: ldap/ZL-ALTROOT-TEST.zl-alt.test/ForestDnsZones.zl.test Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ZL-ALTROOT-TEST.zl-alt.test DNS/ZL-ALTROOT-TEST.zl-alt.test GC/ZL-ALTROOT-TEST.zl-alt.test/zl.test HOST/ZL-ALTROOT-TEST.zl-alt.test/ZLALTTEST HOST/ZL-ALTROOT-TEST HOST/ZL-ALTROOT-TEST.zl-alt.test HOST/ZL-ALTROOT-TEST.zl-alt.test/zl-alt.test E3514235-4B06-11D1-AB04-00C04FC2DCD2/57379a03-4669-4b74-811b-97e3fdced92 2/zl-alt.test ldap/57379a03-4669-4b74-811b-97e3fdced922._msdcs.zl.test ldap/ZL-ALTROOT-TEST.zl-alt.test/ZLALTTEST ldap/ZL-ALTROOT-TEST ldap/ZL-ALTROOT-TEST.zl-alt.test ldap/ZL-ALTROOT-TEST.zl-alt.test/zl-alt.test pcap attached. ...Zach _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
