Samba 3.0alpha21, Windows XP SP1 and Kerberos authentication
abartlet at samba.org
Fri Jan 31 22:39:40 GMT 2003
On Sat, 2003-02-01 at 09:00, Antti Tikkanen wrote:
> I am not sure if you are aware of this, but I wanted to post it just in
> I compiled Samba3.0alpha21 on Linux with ADS, LDAP and Kerberos support
> and joined it to our Windows domain (with 'net ads join') without
> problems. I set up Samba to offer a few shares.
> Right after, I was able to access the shares with smbclient and tickets
> from the MS KDC without problems. I gather smbclient will try to get a
> service ticket for the principal servername$@REALM, which is ok.
> The Windows XP clients will not, however, use Kerberos to authenticate to
> Samba. I checked with Ethereal to see what was going on. XP clients would
> attempt to get ticket for the service principal CIFS/server.example.com,
> which had not been created when joining the domain. I added a
> servicePrincipalName like this for the computer account and things began
> to work. It would be nice if Samba created this principal by default?
The interesting thing is this - my Win2k servers don't seem to share
this property. I can't even get a CIFS/ ticket, and they don't have
those names. So, we need to do some more digging - what is it that
makes Samba look different to Win2k in this regard?
Do some comparative traces, look at what names your Win2k servers have
registered etc. It would be interesting to track this down.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030201/c4da29f3/attachment.bin
More information about the samba-technical