[Samba] Re: smbclient kerberos issue

Ryan Bair ryandbair at gmail.com
Sat Oct 4 17:57:11 GMT 2008

This seems to be related to this entry on the list in 2004-2005. As
far as I see, the issue was never fixed. This is a pretty big issue if
it is indeed the same bug as it effectively stops *nix clients from
using Kerberos authentication.


I will try to work around using "setspn -A host/fqdn computer". Will
"net ads keytab create" pull all the SPNs available for the client or
is it set only do load the default ones?

On Sat, Oct 4, 2008 at 11:36 AM, Ryan Bair <ryandbair at gmail.com> wrote:
> Running Samba 3.2.3 on Debian Lenny, amd64.
> I'm joined to an AD realm, authentication works fine for Windows
> clients. I'm able to see that the clients are using Kerberos, not NTLM
> to authenticate to the shares. However when I look at the keytab, my
> entries have the short names like "service/shortname at REALM" instead of
> "service/fqdn at REALM". Looking at Windows servers on the same domain it
> seems to be a bit of a mix between fqdn and short names with the
> majority using short names.
> So the problem with that is when I try to use smbclient to connect, I
> get a "Server not found in Kerberos database" error because its
> looking for the cifs/fqdn at REALM, where it only exists in the form of
> cifs/shortname at REALM. I haven't found a way to force AD to give me the
> fqdn style SPNs.
> Any pointers?
> Thanks

More information about the samba mailing list