Authentication through transitive trusts

Antti Tikkanen antti.tikkanen at
Fri Jul 18 20:55:53 GMT 2003

On Fri, 18 Jul 2003, Marc Kaplan wrote:

> Ken,
> I looked at this again, and what I'm seeing is that Samba is successful
> enumerating all of the sequence numbers, users, and groups from the
> transitive trusts, but like you said -- client's cannot authenticate. I'm
> seeing the same thing as you, Win2k client is using NTLMSSP rather than
> Kerberos.  Though it is important to note that my Win2k clients from all
> domains (not just transitive trusts) are using NTLMSSP to authenticate. I
> need to go back an try this with the latest Samba, since I'm using a dated
> version, but since you're seeing the same thing, I would guess that nothing
> has changed.
> win2k->win2k uses Kerberos, and win2k->nt4 users NTLMSSP, so it seems like
> the win2k box thinks the Samba Server is a downlevel client (or at least
> only supports NTLM).


I don't know if this advice is valid here, but here goes. You might want
to check that the machine account for your Samba server has an entry for
the Kerberos Service Principal Name that the W2k clients are doing
KRB_AS_REQ's for.

I had problems adding my Samba server with a DNS name like to a Windows domain, and had to add
a few SPN's (HOST/ and CIFS/ manually
to get the W2k clients to use Kerberos. (I don't know if this is even
supposed to work without manual tricks?)

You can see the machine account SPN's with ldapsearch like this:


% ldapsearch -Hldap:// \
  -b "dc=windows,dc=example,dc=com" -s sub cn=samba \

SASL/GSSAPI authentication started
SASL installing layers
# extended LDIF
# LDAPv3
# base <dc=windows,dc=example,dc=com> with scope sub
# filter: cn=samba
# requesting: servicePrincipalName

# samba, Computers,
dn: CN=samba,CN=Computers,DC=windows,DC=example,DC=com
servicePrincipalName: HOST/    # added manually
servicePrincipalName: CIFS/    # added manually
servicePrincipalName: CIFS/
servicePrincipalName: CIFS/samba
servicePrincipalName: HOST/
servicePrincipalName: HOST/samba


To see what SPN the client wants, use Ethereal. The KRB_AS_REQ should be
right after the negprot reply from Samba. If the KDC reply contains an
error instead of a service ticket, the client will fall back to using


Antti.Tikkanen at
Helsinki University of Technology
Computing Centre

More information about the samba-technical mailing list