[Samba] smbclient, kerberos, and EMC

[Joey Collins]

Hi Everyone,

I'm trying to get smbclient to cooperate with my new EMC Celerra (just
got it a little while ago) using kerberos.  My windows domain
environment is win2000 + sp4, the EMC is "joined" to the domain. 

I am using samba 3.0, fresh sources, and MIT KRB5 1.3.4, all freshly
built.  I join the domain, etc. everything is happy.  I use kinit
user at REALM to get my initial tgt.  then, i use smbclient //emc/share -k
and I get this error:

# ./smbclient //emc/share -k
krb5_get_credentials failed for EMC$@mydomain.com (KDC reply did not
match expectations)
spnego_gen_negTokenTarg failed: KDC reply did not match expectations
session setup failed: SUCCESS - 0

looking at an ethereal trace, I notice some funny things.  first, the
EMC returns the principal name in the NegProt response as
EMC at mydomain.com ... this is backwards, me thinks, as usually I have
observed the principal (target host) in lowercase and the realm in all
uppercase.  You think this has anything to do with it?  Looking at the
TGS exchange, I see the realm(domain) in lowercase and the system name
in upcase.  The TGT-REP, however, has the Realm in the cleartext
"Ticket" part in uppercase as well as the target system name.  I have
observed MIT KRB5 1.3.4 being a bit more picky about these things than
earlier versions, and Micro$oft doesn't seem to give a hoot about case. 
Note, smbclient never actually tries to contact the EMC beyond the
NegProt exchange.

smbclient + kerberos (same binary as above) *is* happy going against my
Windows2000 domain controller.  In this situation, I notice the NetProt
response has the server name in lowercase and the realmname in
uppercase.

Am I a victim of bad luck or is their an interop issue here?  I know
EMC's don't grow on trees, so it may be difficult to test this beast in
the community.  Any advice appreciated, I'm certainly willing to try
things!

all the best,

Joey.