ADS wrong service principals

[Eric Horst]

I had a hard time getting ADS Kerberos auth working.  After a while I
realized that there was a problem with the service principals generated by
'net ads join'.  The hostname of the Samba server is
host.dom.washington.edu and it is joined to the domain
windom.washington.edu. When trying to access files using
\\host.dom.washington.edu\service it fails.

I found when running 'net ads status' that it had generated service
principals:

  servicePrincipalName: CIFS/host.windom.washington.edu
  servicePrincipalName: CIFS/host
  servicePrincipalName: HOST/host.windom.washington.edu
  servicePrincipalName: HOST/host

Finally I realized the problem and as a test renamed the host to
host.windom.washington.edu.  Now it works fine.  I confirmed by changing
the name back that it breaks again.  The DNS name or name being used to
access the host must agree with the service principal name.

First off, this might be helpful to clarify this subtle behaviour in the
documentation.  Second, Windows servers don't act like this.  We currently
have Windows and Samba servers in several DNS domains joined to a single
Windows domain.  Kerberos principals work out right.  I'd suggest that
this is a bug and that service principals be generated using the hostname
of the host rather than taking liberties by chopping the name and
appending the domain it is joining.

--Eric