Samba4 kerberos constrained delegation issue on machine-authentication

Matthieu Patou mat at
Tue Dec 13 12:09:54 MST 2011


On 13/12/2011 11:31, Enrico Ehrhardt wrote:
> Sorry, my attachments got the wrong mimetype... I forgot to mention the
> version of samba, it´s 4.0.0alpha18-GIT-08019a0
> 2011/12/13 Enrico Ehrhardt<intruder0815 at>
>> I´ve setup a windows pdc according to
>> It´s working fine, except
>> of machine authentication via kerberos, which prevents all machines from
>> applying GPOs.
 From the logs it seems that your workstation is asking for a ticket for 
cifs/REALM at REALM which will fail because such kind of 
servicePrincipalName (SPN) do not exists.

What is the version of your windows clients ?

Can you try to had this in your smb.conf in the global section

host msdfs = true

Then restart samba and the clients
This will activate the DFS referal resolution, it's needed with windows 
7 and upper for correct GPO behavior.


>> User accounts authenticate without errors and GPOs are applied as
>> expected. I´ve added my configurations and logs below. I would really
>> appreciate your help. Thanks in advance!

Matthieu Patou
Samba Team

More information about the samba-technical mailing list