Delegated credentials with netbios aliases

Amin Azez azez at
Tue Jan 8 15:19:57 GMT 2008

To answer my own question (for the archives); having spent two days
tracing and debugging samba I find that the netbios name is not
presented until after credentials and identities have been negotiated
and in fact the problem of delegating credentials to netbios aliases
cannot be solved by Samba.

It has to be solved by the kerberos server, and in fact, can easily be

The setspn program, part of the windows server 2003 support tools should
be used in this manner:

setspn -A CIFS/alias realname
setspn -A CIFS/alias.domain realname

where realname does not include the domain portion.

After this, it is possibly to delegate credentials when accessing the
server under and alias.

At least the two days wasn't entirely wasted, the knowledge gained while
debugging allowed me to know right off that CIFS was what I needed
before the alias.


* Amin Azez wrote, On 04/01/08 17:27:
> * Amin Azez wrote, On 04/01/08 11:04:
>> The old cifs proxy works fine with delegated credentials, but if I
>> connect to/via the proxy using ip address
>> e.g.
>>   \\\test
>> instead of the real name, then I see the error:
>> PROXY backend: NO delegated credentials found: You must supply server,
>> user and password or the client must supply delegated credentials
>> make_connection: NTVFS make connection failed!
> It seems that if I connect to an alias, spnego chooses:
> Starting GENSEC submechanism ntlmssp
> If I connect as the real thing it chooses:
> Starting GENSEC submechanism gssapi_krb5
> (both in server context) - however, thats during the switch message
> SMBsesssetupX after starting a gssapi_krb5 session in both cases anyway.
> So I'm trying to work out how it chooses ntlmssp instead of gssapi_krb5
> when I use an alias.
> I merely mention this now in case anyone has a quick answer.
> Sam

More information about the samba-technical mailing list