Samba 3.0alpha21, Windows XP SP1 and Kerberos authentication

Wed Feb 12 12:22:57 GMT 2003

On Sat, 1 Feb 2003, Andrew Bartlett wrote:

> The interesting thing is this - my Win2k servers don't seem to share
> this property.  I can't even get a CIFS/ ticket, and they don't have
> those names.  So, we need to do some more digging - what is it that
> makes Samba look different to Win2k in this regard?
>
> Do some comparative traces, look at what names your Win2k servers have
> registered etc.  It would be interesting to track this down.

Hello,

I promised to get back on this after I could get some tests done on a
Win2k workstation.

To put it short: indeed, Win2k with SP3 does not look for a
CIFS/server.example.com ticket. Win2k clients will look for the service
principal HOST/server.example.com, which is there by default.

Still, my XP clients will insist on trying to get a ticket for the
service principal CIFS/server.example.com, and will not work without one.

The really interesting thing is this. My Windows 2000 Server fileservers
do *not* have a servicePrincipalName of CIFS/server.example.com. Here is
an LDAP dump of a W2k fileserver:

--

# FILESERVER01, OUfile, OUmemberserver, OUroot, win, hut, fi
dn: CN=FILESERVER01,OU=OUfile,OU=OUmemberserver,OU=OUroot,DC=win,DC=hut,DC=fi
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
cn: CCFILE01
countryCode: 0
displayName: FILESERVER01$
dNSHostName: fileserver01.win.hut.fi
(..snip..)
distinguishedName:
CN=FILESERVER01,OU=OUfile,OU=OUmemberserver,OU=OUroot,DC=win,DC=hut,DC=fi
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=win,DC=hut,DC=fi
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
objectGUID:: Ww2Hq27cj0Si6AB3eQk1qQ==
objectSid:: AQUAAAAAAAUVAAAAfOskDVdm4mJ1uXVUXAQAAA==
operatingSystem: Windows 2000 Server
operatingSystemServicePack: Service Pack 3
operatingSystemVersion: 5.0 (2195)
primaryGroupID: 515
pwdLastSet: 126891621025546875
name: FILESERVER01
sAMAccountName: FILESERVER01$
sAMAccountType: 805306369
servicePrincipalName:
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/fileserver01.win.
 hut.fi
servicePrincipalName: HOST/FILESERVER01
servicePrincipalName: HOST/fileserver01.win.hut.fi
userAccountControl: 4096
uSNChanged: 13142668
uSNCreated: 3385
whenChanged: 20030208071502.0Z
whenCreated: 20000809081657.0Z

--

*BUT*, when I access fileserver01.win.hut.fi with my XP clients, they
somehow manage to get a ticket for the service principal
CIFS/fileserver01.win.hut.fi, even though it is not listed here (I
verified this with 'klist tickets').

In Linux, when I attempt to get a service ticket for
CIFS/fileserver01.win.hut.fi with 'kinit -S CIFS/fileserver01.win.hut.fi',
it fails and reports that the server was not found in the database.

For my Samba server, I am able to get a service ticket for
CIFS/sambaserver.win.hut.fi with 'kinit -s', because I have added it manually.

This sounds really weird to me..

And, if it has any information value, we have under testing a NetApp
fileserver which is able to join a domain and talk to SMB clients authenticating
them with Kerberos. It will also add a SPN named CIFS/netappserver.win.hut.fi
when joining the domain.

Any comments?

Regards,
Antti Tikkanen