Case sensitivity in Kerberos principal names.

Andrew Bartlett abartlet at
Fri Mar 10 06:34:30 GMT 2006

On Thu, 2006-03-09 at 15:13 -0600, Christopher R. Hertel wrote:
> Here's an interesting buglet I ran into recently...
> (Andrew Bartlett, it's been suggested that I solicit your opinion here...)
> I've got commercial NAS device, acting as a CIFS server.  It's a member
> of an AD domain that only accepts Kerberos Auth.  Windows clients are able
> to authenticate and gain access to the CIFS shares without problems.
> Other clients--MacOS's SMB file system, the Linux CIFS VFS, and smbclient--
> all fail with an error along the lines of:
>    spnego_gen_negTokenTarg failed: KDC reply did not match expectations
> The problem seems to be the case of the principal.  The Celerra goes
> against the grain by sending principal names in the form NAME at realm (that
> is, UPPER at lower).  The Windows KDC will "canonicalize" the name changing it
> to name at REALM (that is, lower at UPPER).

A well known behaviour.

> As described above, the Windows clients appear not to care about the case
> of the fields of the principal, but the MacOS and Linux clients do.

Yep.  It isn't perhaps the best idea (there are some vague security
reasons not to), but it does make things work a lot more often.  

> I have highly-respected contacts within the company that makes the NAS
> device.  They assure me that the problem is that the clients are being
> too picky, and that case should not matter.  I am also fairly certain,
> however, that this authentication would work if the CIFS server were
> providing its principal name in the preferred lower at UPPER format (so
> that it would be the same as the format the Windows KDC returns).

Yes, the client is being picky, but the server is being painful.  

> I'm looking for comments regarding this.  I'd like to know, in particular,
> whether or not folks think changes need to be made in the above-mentioned
> clients.

In Samba4, I don't rely on the principal name from the negtokeninit.
This better matches windows behaviour.  However, I still supply the
principal name, because I think that a product in the marketplace should
not make itself any less compatible than possible.

I'll assert that it would be far, far easier for one commercial NAS
device to check AD for the correct case than for all the Linux and Apple
MAC clients in the world to change behaviour. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list