Bug 1999 - samba cannot join Win2K ADS domain with a non-ascii domain name
Summary: samba cannot join Win2K ADS domain with a non-ascii domain name
Status: NEW
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: net utility (show other bugs)
Version: 3.0.11
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Jim McDonough
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-11-04 14:12 UTC by Jay Fenlason - please log in and update your mail address here and let us enable Bugmails to you again, Jay
Modified: 2023-06-06 14:53 UTC (History)
2 users (show)

See Also:


Attachments
Ugly patch to allow "net ads join", etc to work on a Win2k active directory domain with a non-ascii name (58 bytes, patch)
2004-11-04 14:16 UTC, Jay Fenlason - please log in and update your mail address here and let us enable Bugmails to you again, Jay
no flags Details
smb.conf file for my non-ascii domain (449 bytes, text/plain)
2004-11-04 14:20 UTC, Jay Fenlason - please log in and update your mail address here and let us enable Bugmails to you again, Jay
no flags Details
Ugly patch to allow "net ads join", etc to work on a Win2k active directory domain with a non-ascii name (5.04 KB, patch)
2004-11-05 07:52 UTC, Jay Fenlason - please log in and update your mail address here and let us enable Bugmails to you again, Jay
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jay Fenlason - please log in and update your mail address here and let us enable Bugmails to you again, Jay 2004-11-04 14:12:21 UTC
A Win2k Active Directory domain controller sends some domain information (the 
name of the kerberos realm) encoded in a non-utf-8 character set, however the 
Win2k Active Directory Kerberos server requires that the domain be encoded in 
utf-8.  The attached (ugly) patch allows "net ads join", winbindd, etc to work 
with the attached smb.conf file (I have not been able to debug why it needs 
"allow trusted domains = no"--I suspect an incompletness in the patch).
Comment 1 Jay Fenlason - please log in and update your mail address here and let us enable Bugmails to you again, Jay 2004-11-04 14:16:25 UTC
Created attachment 755 [details]
Ugly patch to allow "net ads join", etc to work on a Win2k active directory domain with a non-ascii name
Comment 2 Jay Fenlason - please log in and update your mail address here and let us enable Bugmails to you again, Jay 2004-11-04 14:20:19 UTC
Created attachment 756 [details]
smb.conf file for my non-ascii domain
Comment 3 Guenther Deschner 2004-11-05 03:46:47 UTC
could you please repost your patch? it seems to be broken.
Comment 4 Jay Fenlason - please log in and update your mail address here and let us enable Bugmails to you again, Jay 2004-11-05 07:52:40 UTC
Created attachment 758 [details]
Ugly patch to allow "net ads join", etc to work on a Win2k active directory domain with a non-ascii name

Konqueror claimed it was upload the patch the first time.  Let's see if mozilla
does better.
Comment 5 Volker Lendecke 2005-02-16 07:54:06 UTC
That patch is not correct I think. I've installed a w2k domain named with greek letters and german umlauts in its name. The principal that is returned in the negprot reply is anything but sensible. This can just not be relied upon. A proper patch would remove the on the negprot reply completely. An indication that this is just broken is the windows client behaviour. I have never seen any client read from that value. For example if you connect to an AD member using it's IP address, the Kerberos principal that is asked for is the IP address whereas the negprot reply could have given you an indication of the server's name. However, I'm afraid I have to delay a proper solution until later.  Sorry,  Volker 
Comment 6 Kai Blin 2008-07-03 07:52:17 UTC
Looking at the warnings Windows spits when using non-ascii names for domains and computers, it seems like you need to handle this in the OEM charset, whatever that is set to.
Comment 7 Kai Blin 2008-07-03 09:29:02 UTC
Also, how did you manage to kinit for the domain? I'm trying to reproduce the bug on a Win2k3 DC with an ubuntu 8.04 client running heimdal-1.0.1 or mit 1.6, both fail to kinit in my BLÜMCHEN.LOCAL realm correctly.