Kerberos and security=user

Stephen Shirley diamond at
Fri Apr 22 16:08:40 GMT 2005

Andrew Bartlett wrote:
> Some sites have managed to run kerberos against Heimdal or MIT, and have
> windows/linux/mac clients 'play nice' with it, and it would be good if
> this did not require the admin to set Samba into 'security=ads' mode.
> This untested, and potentially unwise patch allows this.  The section
> changing the principal name we return in the negprot may not be the best
> thing to do here however.  (instead, the machine$@REALM could also be
> added to the keytab).

I've done some basic testing with this patch, and for winxp (sp1 and 
sp2), it works perfectly. Windows asks the tgt for a ticket for 
cifs/machine at REALM, and all is well. Smbclient is a bit more naive tho, 
and looks for a ticket for machine$@REALM. It would be nice if it 
handled things the same way as xp. I haven't got win2k around here to 
test this patch with, so i can only speculate that it will also work fine.


More information about the samba-technical mailing list