Samba 3.0alpha21, Windows XP SP1 and Kerberos authentication

Andrew Bartlett abartlet at
Fri Jan 31 22:39:40 GMT 2003

On Sat, 2003-02-01 at 09:00, Antti Tikkanen wrote:
> Hello,
> I am not sure if you are aware of this, but I wanted to post it just in
> case.
> I compiled Samba3.0alpha21 on Linux with ADS, LDAP and Kerberos support
> and joined it to our Windows domain (with 'net ads join') without
> problems. I set up Samba to offer a few shares.
> Right after, I was able to access the shares with smbclient and tickets
> from the MS KDC without problems. I gather smbclient will try to get a
> service ticket for the principal servername$@REALM, which is ok.
> The Windows XP clients will not, however, use Kerberos to authenticate to
> Samba. I checked with Ethereal to see what was going on. XP clients would
> attempt to get ticket for the service principal CIFS/,
> which had not been created when joining the domain. I added a
> servicePrincipalName like this for the computer account and things began
> to work. It would be nice if Samba created this principal by default?

The interesting thing is this - my Win2k servers don't seem to share
this property.  I can't even get a CIFS/ ticket, and they don't have
those names.  So, we need to do some more digging - what is it that
makes Samba look different to Win2k in this regard?

Do some comparative traces, look at what names your Win2k servers have
registered etc.  It would be interesting to track this down.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list