[Samba] Re: smbclient kerberos issue

Gerald (Jerry) Carter jerry at samba.org
Sat Oct 4 18:45:39 GMT 2008

Hash: SHA1

Ryan Bair wrote:
> This seems to be related to this entry on the list in 2004-2005. As
> far as I see, the issue was never fixed. This is a pretty big issue if
> it is indeed the same bug as it effectively stops *nix clients from
> using Kerberos authentication.
> http://lists.samba.org/archive/samba-technical/2005-April/040338.html
> I will try to work around using "setspn -A host/fqdn computer". Will
> "net ads keytab create" pull all the SPNs available for the client or
> is it set only do load the default ones?

We don't add cifs/... entries to the system keytab anymore.
If I understand you correctly, you are using smbclient to connect
from one Unix box to a Samba server.  Correct?  If so, smbd
validates the service ticket using the machine trust account
password stored in secrets.tdb so the keytab entries don't
generally come into play.

The keytab is provided to support non-Samba kerberized applications
such as sshd.

cheers, jerry
- --
Samba                                    ------- http://www.samba.org
Likewise Software          ---------  http://www.likewisesoftware.com
"What man is a man who does not make the world better?"      --Balian
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list