Authentication through transitive trusts
Steve Langasek
vorlon at netexpress.net
Fri Jul 18 21:23:18 GMT 2003
On Sat, Jul 19, 2003 at 12:12:58AM +0300, Antti Andreimann wrote:
> Antti Tikkanen wrote:
> > I had problems adding my Samba server with a DNS name like
> > samba.example.com to a Windows domain windows.example.com, and had to add
> > a few SPN's (HOST/samba.example.com and CIFS/samba.example.com) manually
> > to get the W2k clients to use Kerberos. (I don't know if this is even
> > supposed to work without manual tricks?)
> This is supposed to work automatically, however if You have set up the realm
> in smb.conf to be something different than the realm where the server is a
> member, samba will give out wrong hints about what principals to use for
> connecting. However w2k should ignore those hints AFAIK.
It's my understanding that these are not "hints", but canonical
declarations of the service principal name to use. If Samba is wrong
in what it's sending (which is possible, though it should also be
possible to catch this at runtime based on the available credentials),
there are certainly cases in a moderate-sized AD forest where it's
*impossible* for the client to determine a valid service principal for
the server.
--
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20030718/662d4517/attachment.bin
More information about the samba-technical
mailing list