I've filed the following CR: 6684686 smbadm join CLI doesn't always create all the necesssary attributes in a system's AD computer object
The smbadm join CLI does create the computer object with the servicePrincipalName, along with other attributes. Unfortunately, the NETLOGON credential chain establishment, which happens after the creation of the computer object and ksetpw operation, has occasionally reset the servicePrincipalName and dNSHostnName attributes of the object. Regards, Natalie Leopold, Corey wrote: > > >>-----Original Message----- >>From: Nicolas Williams [mailto:[EMAIL PROTECTED] >>Sent: Thursday, April 03, 2008 5:38 PM >>To: Natalie Li >>Cc: Leopold, Corey; [email protected] >>Subject: Re: [storage-discuss] B85 CIFS - Active Directory - Kerberos >> >>On Thu, Apr 03, 2008 at 03:40:13PM -0700, Natalie Li wrote: >> >> >>>The smbadm CLI does create the computer account with >>>servicePrincipalName attribute. See the following output of the >>> >>> >>dsquery: >> >>But it didn't for me; did I do something wrong? Corey, what about >> >> >your > > >>case? >> >> > >Not there, I also checked a previous account created with b79a and not >on that one either. See full listing Below... > >I do have a secondary question though... Shouldn't CIFS shares also be >checking this host principal, and fail authentication if it is >non-existent? My understanding is that these keys prevent man in the >middle attacks? > >Corey > >C:\Documents and Settings\administrator>dsquery * cn=xxx,cn=comp >uters,dc=xxx,dc=com -scope base -attr * >objectClass: top >objectClass: person >objectClass: organizationalPerson >objectClass: user >objectClass: computer >cn: xxx >distinguishedName: CN=xxx,CN=Computers,DC=xxx,DC=com >instanceType: 4 >whenCreated: 03/27/2008 16:59:34 >whenChanged: 03/27/2008 16:59:35 >uSNCreated: 500216 >uSNChanged: 500224 >name: xxx >objectGUID: {6C3E6601-EB99-44D8-84A2-00985F6FC9BF} >userAccountControl: 593920 >badPwdCount: 0 >codePage: 0 >countryCode: 0 >badPasswordTime: 0 >lastLogoff: 0 >lastLogon: 128517697893488678 >localPolicyFlags: 0 >pwdLastSet: 128511107748403829 >primaryGroupID: 515 >objectSid: S-1-5-21-1651275576-3096177869-2280500612-1636 >accountExpires: 9223372036854775807 >logonCount: 34 >sAMAccountName: xxx$ >sAMAccountType: 805306369 >operatingSystem: Windows NT >operatingSystemVersion: 4.0 >userPrincipalName: host/[EMAIL PROTECTED] >objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=xxx,DC=com >isCriticalSystemObject: FALSE >ADsPath: LDAP://xxx.xxx.com/cn=xxx,cn=computers,dc=xxx,d >c=com >_______________________________________________ >storage-discuss mailing list >[email protected] >http://mail.opensolaris.org/mailman/listinfo/storage-discuss > > _______________________________________________ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
