With netbios aliases defined in the smb.conf, a client can attach to a share
using the alias machine name but is unable to obtain a ticket from the KDC. The
client then falls back to NTLMSSP as the authentication method.
The TGS request for the cifs service using the netbios name instance fails with
the error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This is because the only
servicePrincipalName attributes assigned within libads/ldap.c:
ads_add_machine_acct() are for the actual machine name. If this is extended to
included additional entries, HOST/<netbiosN> and CIFS/netbiosN>, for each on N
netbios aliases then the client is able to obtain and make use of a kerberos
ticket during the session setup.
Created attachment 629 [details]
Add method to update servicePrincipalName attributes in AD
Create additional servicePrincipalName attributes of HOST/ and CIFS/ for each
netbios alias name in smb.conf. Also, added simple ads command to the net
utility "net ads updatejoin" to refresh these attributes to current "netbios
If it's still broken in 3.5, please reopen.
3.0 isn't supported anymore.
Bugs with patches should be kept open or rejected with a reason.
still, with netbios aliased defined samba does not add servicePrincipleName entries in AD for the aliases. Metze, can you have a look at the patch?
*** Bug 9129 has been marked as a duplicate of this bug. ***
Created attachment 12069 [details]
git-am fix for 4.4.next, 4.3.next.
Reassigning to Karolin for inclusion in 4.3 and 4.4.
(In reply to Ralph Böhme from comment #7)
Pushed to autobuild-v4-[4|3]-test.
(In reply to Karolin Seeger from comment #8)
Pushed to both branches.
Closing out bug report.