Samba 3.0alpha21, Windows XP SP1 and Kerberos authentication
antti.tikkanen at hut.fi
Wed Feb 12 12:22:57 GMT 2003
On Sat, 1 Feb 2003, Andrew Bartlett wrote:
> The interesting thing is this - my Win2k servers don't seem to share
> this property. I can't even get a CIFS/ ticket, and they don't have
> those names. So, we need to do some more digging - what is it that
> makes Samba look different to Win2k in this regard?
> Do some comparative traces, look at what names your Win2k servers have
> registered etc. It would be interesting to track this down.
I promised to get back on this after I could get some tests done on a
To put it short: indeed, Win2k with SP3 does not look for a
CIFS/server.example.com ticket. Win2k clients will look for the service
principal HOST/server.example.com, which is there by default.
Still, my XP clients will insist on trying to get a ticket for the
service principal CIFS/server.example.com, and will not work without one.
The really interesting thing is this. My Windows 2000 Server fileservers
do *not* have a servicePrincipalName of CIFS/server.example.com. Here is
an LDAP dump of a W2k fileserver:
# FILESERVER01, OUfile, OUmemberserver, OUroot, win, hut, fi
operatingSystem: Windows 2000 Server
operatingSystemServicePack: Service Pack 3
operatingSystemVersion: 5.0 (2195)
*BUT*, when I access fileserver01.win.hut.fi with my XP clients, they
somehow manage to get a ticket for the service principal
CIFS/fileserver01.win.hut.fi, even though it is not listed here (I
verified this with 'klist tickets').
In Linux, when I attempt to get a service ticket for
CIFS/fileserver01.win.hut.fi with 'kinit -S CIFS/fileserver01.win.hut.fi',
it fails and reports that the server was not found in the database.
For my Samba server, I am able to get a service ticket for
CIFS/sambaserver.win.hut.fi with 'kinit -s', because I have added it manually.
This sounds really weird to me..
And, if it has any information value, we have under testing a NetApp
fileserver which is able to join a domain and talk to SMB clients authenticating
them with Kerberos. It will also add a SPN named CIFS/netappserver.win.hut.fi
when joining the domain.
More information about the samba-technical