libnet/become_dc: add a comment and explain why it's important to specify krb5

author Stefan Metzmacher <metze@samba.org>

Thu, 17 Jul 2008 11:36:59 +0000 (13:36 +0200)

committer Stefan Metzmacher <metze@samba.org>

Wed, 23 Jul 2008 09:56:55 +0000 (11:56 +0200)
author Stefan Metzmacher <metze@samba.org>
Thu, 17 Jul 2008 11:36:59 +0000 (13:36 +0200)
committer Stefan Metzmacher <metze@samba.org>
Wed, 23 Jul 2008 09:56:55 +0000 (11:56 +0200)
diff --git a/source/libnet/libnet_become_dc.c b/source/libnet/libnet_become_dc.c

index 556ba8045d4bf8b237ece6d2a9ee83b414a8ef33..31a9206d8646b0f21b2c565debc373848534c184 100644 (file)
--- a/source/libnet/libnet_become_dc.c
+++ b/source/libnet/libnet_become_dc.c
@@ -1516,6 +1516,15 @@ static void becomeDC_drsuapi_connect_send(struct libnet_BecomeDC_state *s,
         drsuapi->s = s;
  
         if (!drsuapi->binding) {
+               /*
+                * Note: It's important to pass 'krb5' as auth_type here
+                *       otherwise the replication will not work with
+                *       Windows 2000. If NTLMSSP is used Windows 2000
+                *       returns garbage in the DsGetNCChanges() response
+                *       if encrypted password attributes would be in the response.
+                *       That means the replication of the schema and configuration
+                *       partition works fine, but it fails for the domain partition.
+                */
                 if (lp_parm_bool(s->libnet->lp_ctx, NULL, "become_dc", "print", false)) {
                         binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[krb5,print,seal]", s->source_dsa.dns_name);
                         if (composite_nomem(binding_str, c)) return;
author	Stefan Metzmacher <metze@samba.org>
	Thu, 17 Jul 2008 11:36:59 +0000 (13:36 +0200)
committer	Stefan Metzmacher <metze@samba.org>
	Wed, 23 Jul 2008 09:56:55 +0000 (11:56 +0200)