I attempted to set up unsolicited remote assistance via group policy, but connections to the client machines fail. A network trace show the 'expert' machine doing a TGS-REQ to the DC which responds with a KRB5KDC_ERR_POLICY. This seems to be the origin of the problem. I noticed in the request, the username of the 'novice' is given as the Server Name but is otherwise pretty unremarkable. Has anyone successfully gotten this working on a Samba4 AD domain?
On Mon, 2015-01-05 at 16:18 -0500, Ryan Bair wrote:> I attempted to set up unsolicited remote assistance via group policy, but > connections to the client machines fail. > > A network trace show the 'expert' machine doing a TGS-REQ to the DC which > responds with a KRB5KDC_ERR_POLICY. This seems to be the origin of the > problem. > > I noticed in the request, the username of the 'novice' is given as the > Server Name but is otherwise pretty unremarkable. > > Has anyone successfully gotten this working on a Samba4 AD domain?Try giving the user an SPN. That should make it work. I need to work out what the right clue is in AD to enable an account as a server, without an SPN, as otherwise we would allow offline attacks on the user (rather than machine, which should be more complex) passwords. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Andrew, Thanks for the reply. That does indeed make it work. On Tue, Jan 6, 2015 at 9:12 PM, Andrew Bartlett <abartlet at samba.org> wrote:> On Mon, 2015-01-05 at 16:18 -0500, Ryan Bair wrote: > > I attempted to set up unsolicited remote assistance via group policy, but > > connections to the client machines fail. > > > > A network trace show the 'expert' machine doing a TGS-REQ to the DC which > > responds with a KRB5KDC_ERR_POLICY. This seems to be the origin of the > > problem. > > > > I noticed in the request, the username of the 'novice' is given as the > > Server Name but is otherwise pretty unremarkable. > > > > Has anyone successfully gotten this working on a Samba4 AD domain? > > Try giving the user an SPN. That should make it work. > > I need to work out what the right clue is in AD to enable an account as > a server, without an SPN, as otherwise we would allow offline attacks on > the user (rather than machine, which should be more complex) passwords. > > Andrew Bartlett > > -- > Andrew Bartlett > http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > > >
Possibly Parallel Threads
- NT4 clients
- Account is sensitive and cannot be delegated (userAccountControl NOT_DELEGATED flag 0x00100000)
- Account is sensitive and cannot be delegated (userAccountControl NOT_DELEGATED flag 0x00100000)
- Clients cannot auth to server 2012 with MIT DC
- Anonymous