Andrew,
I noticed the attachment had not gone through on this previous mail so here it is. Please let me know if you have any further feedback. If I don't hear from you by Monday, July 14, 2009 I will go ahead and archive this issue.
Richard Guthrie
Support Escalation Engineer
Open Protocols Support Team
http://blogs.msdn.com/OpenSpecification
Tel: +1 (469) 775-7794
E-mail:
rguthrie@...
-----Original Message-----
From: Richard Guthrie
Sent: Tuesday, June 30, 2009 3:44 PM
To: 'Andrew Bartlett'
Cc:
pfif@...;
cifs-protocol@...
Subject: RE: [cifs-protocol] RE: How is a krb5 request to cifs/my.realm handled?
Andrew,
Attached is the last email that I have regarding this subject. A new case, SRX090630600140, has been created for this issue to continue working. I believe this knowledge base article,
http://support.microsoft.com/kb/842162, discusses some relevant details about the implementation of sysvol in its discussion of how to relocate the actual folder mapping.
It sounds like though, that you might still be having an issue on the KDC side of the house. This link on technet
http://technet.microsoft.com/en-us/library/cc782417(WS.10).aspx (Section: How DFS Is Used During the Logon Process), I believe has the information you are looking for, and goes into great depth on how the client downloads policies from the domain using DFS which is the means to retrieve group policy.
Please let us know if you have further questions regarding this issue.
Richard Guthrie
Support Escalation Engineer
Open Protocols Support Team
http://blogs.msdn.com/OpenSpecification
Tel: +1 (469) 775-7794
E-mail:
rguthrie@...
-----Original Message-----
From: Andrew Bartlett [mailto:
abartlet@...]
Sent: Tuesday, June 30, 2009 5:08 AM
To: Richard Guthrie
Cc:
pfif@...;
cifs-protocol@...
Subject: Re: [cifs-protocol] RE: How is a krb5 request to cifs/my.realm handled?
On Sun, 2008-12-14 at 18:52 -0800, Richard Guthrie wrote:
> Andrew,
>
> Thanks for the question. I will create a case for this shortly and an engineer will get in touch with you to begin working this issue.
>
> Richard Guthrie
> Escalation Engineer
>
> ________________________________________
> From: Andrew Bartlett [
abartlet@...]
> Sent: Sunday, December 14, 2008 7:10 PM
> To: Interoperability Documentation Help
> Cc:
pfif@...;
cifs-protocol@...
> Subject: How is a krb5 request to cifs/my.realm handled?
>
> A number of our users are having trouble with group policy in Samba4,
> and it seems that their clients (WinXP, Vista) look for their group
> policy information in //my.realm/sysvol
>
> This name resolves in DNS, but we don't currently have a mapping for
> it in our KDC, because I don't know, if I were to create a mixed
> Microsoft/Samba4 domain what key this would resolve to.
>
> Given that it must be shared between all domain controllers, is this
> somehow mapped to krbtgt/my.realm? Is DNS/my.realm also handled this
> way?
>
> (In the meantime it would of course be trivial to add such a mapping,
> but I want to solve this properly)
Has there been any progress on this?
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/Authentication Developer, Samba Team
http://samba.orgSamba Developer, Red Hat Inc.
-----Original Message-----
From: Richard Guthrie
Sent: Monday, December 29, 2008 8:27 AM
To: Andrew Bartlett
Cc: Son Nguyen; Nick Meier
Subject: RE: capture of group policy attempt
Andrew/Son,
We have reviewed the trace that was attached. We will refer to IP 192.168.9.131 as CLIENT and IP 192.168.9.135 as SERVER. Is the SPN for the SERVER in the ticket request correct in frame 45? It would appear that Kerberos is working because the encrypted LDAP request in frames 17-34 is succeeding with an SPN of ldap/dcson1.ce.saigontech.info.vn for that ticket.
With regards to group policy, I don't see the request to sysvol in this trace. I see CLIENT does SMB Tree Connect to \\CE.SAIGONTECH.INFO.VN\IPC$ using NTLM SSPNegotiate which looks to succeed. IPC$ is not the share used to download group policy however. You should see a connection via SMB to \\<DOMAIN_CONTROLLER>\sysvol.
It would appear there is a problem with the client retrieving the correct SPNs but that is not 100% clear from this trace. To resolve further we would probably need to see the conversation from the client booting up and logging in. If you want to pursue that direction let us know and we can provide a more detailed action plan. From our previous conversation here is some background information (both normative and informative) on how a windows client retrieves group policy:
Normative References
MS-GPOL - 1.3.3.1 Server Discovery and Group Policy Object Association
MS-GPOL - 1.3.3.2 GPO Retrieval
MS-GPOL - 4.x Examples
MS-NRPC - 3.4.3 Initialization
Informative References
http://technet.microsoft.com/en-us/library/cc758898.aspx - Group Policy Processing
http://support.microsoft.com/kb/842162 - How to relocate the SYSVOL tree on a domain controller that is running Windows 2000 Server or Windows Server 2003
http://support.microsoft.com/kb/315457 - How to rebuild the SYSVOL tree and its content in a domain
http://support.microsoft.com/kb/910206 - How to troubleshoot Group Policy object processing failures that occur across multiple forests
http://technet.microsoft.com/en-us/library/cc787386.aspx - Troubleshooting Group Policy Problems
http://www.microsoft.com/downloads/details.aspx?FamilyId=0A6D4C24-8CBD-4B35-9272-DD3CBFC81887&displaylang=en - Group Policy Management Console
Richard Guthrie
Open Protocols Support Team
Support Escalation Engineer, US-CSS DSC PROTOCOL TEAM
Tel: +1 (469) 775-7794
E-mail:
rguthrie@...
-----Original Message-----
From: Andrew Bartlett [mailto:
abartlet@...]
Sent: Tuesday, December 16, 2008 5:49 PM
To: Richard Guthrie
Cc: Son Nguyen
Subject: capture of group policy attempt
Richard,
Per our call this morning, this is the capture from Son Nguyen <
sonnh@...> of an attempt to download group policies from Samba. Note the attempt to use cifs/<realm> as the principal name.
I think the issue here is that we have a very poor implementation of the GetDCName calls in our netlogon server, and if we fix that, we might fix this too, but any advise you can give would be most appreciated.
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/Authentication Developer, Samba Team
http://samba.orgSamba Developer, Red Hat Inc.
_______________________________________________
cifs-protocol mailing list
cifs-protocol@...
https://lists.samba.org/mailman/listinfo/cifs-protocol
signature.asc (196 bytes) 