With netbios aliases defined in the smb.conf, a client can attach to a share using the alias machine name but is unable to obtain a ticket from the KDC. The client then falls back to NTLMSSP as the authentication method. The TGS request for the cifs service using the netbios name instance fails with the error KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This is because the only servicePrincipalName attributes assigned within libads/ldap.c: ads_add_machine_acct() are for the actual machine name. If this is extended to included additional entries, HOST/<netbiosN> and CIFS/netbiosN>, for each on N netbios aliases then the client is able to obtain and make use of a kerberos ticket during the session setup.
Created attachment 629 [details] Add method to update servicePrincipalName attributes in AD Create additional servicePrincipalName attributes of HOST/ and CIFS/ for each netbios alias name in smb.conf. Also, added simple ads command to the net utility "net ads updatejoin" to refresh these attributes to current "netbios aliases" list.
If it's still broken in 3.5, please reopen. 3.0 isn't supported anymore.
Bugs with patches should be kept open or rejected with a reason.
still, with netbios aliased defined samba does not add servicePrincipleName entries in AD for the aliases. Metze, can you have a look at the patch?
*** Bug 9129 has been marked as a duplicate of this bug. ***
Created attachment 12069 [details] git-am fix for 4.4.next, 4.3.next.
Reassigning to Karolin for inclusion in 4.3 and 4.4.
(In reply to Ralph Böhme from comment #7) Pushed to autobuild-v4-[4|3]-test.
(In reply to Karolin Seeger from comment #8) Pushed to both branches. Closing out bug report. Thanks!