Before trying to send a TGS request to the Kerberos KDC Windows Severs (at least w2k8) try to connect to the CLDAP service and send a request for the netlogon attribute. If this request is not successful the TGS is not requested.
Simo recommends to build a plugin for the Directory Server to handle this CLDAP request.
CLDAP request and response cldap.txt
We realized that the PAC work will not allow Simo to work on the CLDAP plugin. Since for testing a samba4 cldap service can be used the ticket is moved to the next month.
Patches on the list
Multiple patches pushed to master.
Metadata Update from @sbose: - Issue assigned to simo - Issue set to the milestone: FreeIPA 3.0 Trust Effort - 2011/11
Login to comment on this ticket.