Case sensitivity in Kerberos principal names.

Christopher R. Hertel crh at
Thu Mar 9 21:13:03 GMT 2006

Here's an interesting buglet I ran into recently...

(Andrew Bartlett, it's been suggested that I solicit your opinion here...)

I've got commercial NAS device, acting as a CIFS server.  It's a member
of an AD domain that only accepts Kerberos Auth.  Windows clients are able
to authenticate and gain access to the CIFS shares without problems.

Other clients--MacOS's SMB file system, the Linux CIFS VFS, and smbclient--
all fail with an error along the lines of:

   spnego_gen_negTokenTarg failed: KDC reply did not match expectations

The problem seems to be the case of the principal.  The Celerra goes
against the grain by sending principal names in the form NAME at realm (that
is, UPPER at lower).  The Windows KDC will "canonicalize" the name changing it
to name at REALM (that is, lower at UPPER).

As described above, the Windows clients appear not to care about the case
of the fields of the principal, but the MacOS and Linux clients do.

I have highly-respected contacts within the company that makes the NAS
device.  They assure me that the problem is that the clients are being
too picky, and that case should not matter.  I am also fairly certain,
however, that this authentication would work if the CIFS server were
providing its principal name in the preferred lower at UPPER format (so
that it would be the same as the format the Windows KDC returns).

I'm looking for comments regarding this.  I'd like to know, in particular,
whether or not folks think changes need to be made in the above-mentioned


Chris -)-----

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team --     -)-----   Christopher R. Hertel
jCIFS Team --   -)-----   ubiqx development, uninq.
ubiqx Team --     -)-----   crh at
OnLineBook --    -)-----   crh at

More information about the samba-technical mailing list