ADS wrong service principals
erich at cac.washington.edu
Wed Oct 29 20:00:29 GMT 2003
I had a hard time getting ADS Kerberos auth working. After a while I
realized that there was a problem with the service principals generated by
'net ads join'. The hostname of the Samba server is
host.dom.washington.edu and it is joined to the domain
windom.washington.edu. When trying to access files using
\\host.dom.washington.edu\service it fails.
I found when running 'net ads status' that it had generated service
Finally I realized the problem and as a test renamed the host to
host.windom.washington.edu. Now it works fine. I confirmed by changing
the name back that it breaks again. The DNS name or name being used to
access the host must agree with the service principal name.
First off, this might be helpful to clarify this subtle behaviour in the
documentation. Second, Windows servers don't act like this. We currently
have Windows and Samba servers in several DNS domains joined to a single
Windows domain. Kerberos principals work out right. I'd suggest that
this is a bug and that service principals be generated using the hostname
of the host rather than taking liberties by chopping the name and
appending the domain it is joining.
More information about the samba-technical