Samba 3.0alpha21, Windows XP SP1 and Kerberos authentication

P Ranjit Kumar ranjit at cup.hp.com
Sat Feb 1 01:50:21 GMT 2003 

Hello Antti,

I have been having this problem for a long time now. I have a few questions
on how you have configured it.

1) How did you create the service principal host/machine.domain.com at REALM in
Windows 2000 KDC?

2) Did the setup work with any Windows 2000 clients?

3) Do you have any other services, such as telnet etc., that want to use
Kerberos on your Linux box?

I am playing around with Samba in a Kerberos environment (Windows 2000 KDC)
and am having problems with host/machine.domain.com at REALM type of principal
names when I use Windows 2000 clients.

So I am just wondering how did it work for you :) If you are interested, you
can email me your phone number. I can call you.

Thanks,
Ranjit
HP CIFS Team.


-----Original Message-----
From: samba-technical-bounces+marc_jacobsen=hp.com at lists.samba.org
[mailto:samba-technical-bounces+marc_jacobsen=hp.com at lists.samba.org]On
Behalf Of Antti Tikkanen
Sent: Friday, January 31, 2003 2:00 PM
To: samba-technical at lists.samba.org
Subject: Samba 3.0alpha21, Windows XP SP1 and Kerberos authentication


Hello,

I am not sure if you are aware of this, but I wanted to post it just in
case.

I compiled Samba3.0alpha21 on Linux with ADS, LDAP and Kerberos support
and joined it to our Windows domain (with 'net ads join') without
problems. I set up Samba to offer a few shares.

Right after, I was able to access the shares with smbclient and tickets
from the MS KDC without problems. I gather smbclient will try to get a
service ticket for the principal servername$@REALM, which is ok.

The Windows XP clients will not, however, use Kerberos to authenticate to
Samba. I checked with Ethereal to see what was going on. XP clients would
attempt to get ticket for the service principal CIFS/server.example.com,
which had not been created when joining the domain. I added a
servicePrincipalName like this for the computer account and things began
to work. It would be nice if Samba created this principal by default?

Best regards,
Antti Tikkanen

--

Antti.Tikkanen at hut.fi
Helsinki University of Technology
Computing Centre

More information about the samba-technical mailing list