libnet/become_dc: add a comment and explain why it's important to specify krb5

metze
(This used to be commit 26d1f9366d8611af1a69095b4cede2d2c95c982d)

1 files changed, 9 insertions, 0 deletions

diff --git a/source4/libnet/libnet_become_dc.c b/source4/libnet/libnet_become_dc.c
index 556ba8045d4..31a9206d864 100644
--- a/source4/libnet/libnet_become_dc.c
+++ b/source4/libnet/libnet_become_dc.c
@@ -1516,6 +1516,15 @@ static void becomeDC_drsuapi_connect_send(struct libnet_BecomeDC_state *s,
 	drsuapi->s = s;
 
 	if (!drsuapi->binding) {
+		/*
+		 * Note: It's important to pass 'krb5' as auth_type here
+		 *       otherwise the replication will not work with
+		 *       Windows 2000. If NTLMSSP is used Windows 2000
+		 *       returns garbage in the DsGetNCChanges() response
+		 *       if encrypted password attributes would be in the response.
+		 *       That means the replication of the schema and configuration
+		 *       partition works fine, but it fails for the domain partition.
+		 */
 		if (lp_parm_bool(s->libnet->lp_ctx, NULL, "become_dc", "print", false)) {
 			binding_str = talloc_asprintf(s, "ncacn_ip_tcp:%s[krb5,print,seal]", s->source_dsa.dns_name);
 			if (composite_nomem(binding_str, c)) return;