[linux-cifs-client] Case sensitivity in Kerberos principal names.

Santy, Kimberly M woodk at IUPUI.EDU
Wed Nov 29 17:31:20 GMT 2006


I'm interested in finding out if there is a solution to problem described in a March post on this same topic.  Let me preface with saying that I know very little about Linux and Samba, I am a Windows Admin, but was contacted by one of customers because of the Windows error that is generated as a result of this problem.
 
Our configuration is much the same as described in the orginal post.  We have a newly installed EMC-NAS device, a Windows 2003 AD domain, and a proprietary kiosk-type device that runs linux on the backend.  The problem presented itself when the EMC-NAS was upgraded last week.  The linux client is made by a very small company and there are not many of these devices in the world, so it is likely that we are the first to experience this problem with this vendor.  
 
I am planning a conference call with the vendor, but wondered if anyone had any suggestions on how we might resolve the problem.  I realize I don't have a lot of info that may be needed, but any help at all would be great . . . 
 
Is there anything that can be done to make this work?
 
Thanks!
 
Kim Santy
woodk at iupui.edu
 
--------------------------------------------------------------------------------
Here is the original post . . . 
 
"Here's an interesting buglet I ran into recently...

(Andrew Bartlett, it's been suggested that I solicit your opinion here...)

I've got commercial NAS device, acting as a CIFS server.  It's a member
of an AD domain that only accepts Kerberos Auth.  Windows clients are able
to authenticate and gain access to the CIFS shares without problems.

Other clients--MacOS's SMB file system, the Linux CIFS VFS, and smbclient--
all fail with an error along the lines of:

   spnego_gen_negTokenTarg failed: KDC reply did not match expectations

The problem seems to be the case of the principal.  The Celerra goes
against the grain by sending principal names in the form NAME at realm <https://lists.samba.org/mailman/listinfo/linux-cifs-client>  (that
is, UPPER at lower <https://lists.samba.org/mailman/listinfo/linux-cifs-client> ).  The Windows KDC will "canonicalize" the name changing it
to name at REALM <https://lists.samba.org/mailman/listinfo/linux-cifs-client>  (that is, lower at UPPER <https://lists.samba.org/mailman/listinfo/linux-cifs-client> ).

As described above, the Windows clients appear not to care about the case
of the fields of the principal, but the MacOS and Linux clients do.

I have highly-respected contacts within the company that makes the NAS
device.  They assure me that the problem is that the clients are being
too picky, and that case should not matter.  I am also fairly certain,
however, that this authentication would work if the CIFS server were
providing its principal name in the preferred lower at UPPER <https://lists.samba.org/mailman/listinfo/linux-cifs-client>  format (so
that it would be the same as the format the Windows KDC returns).

I'm looking for comments regarding this.  I'd like to know, in particular,
whether or not folks think changes need to be made in the above-mentioned
clients."


 



More information about the linux-cifs-client mailing list