Hi all, For some reason the cifs/fqdn principals is used when smblclient -k or my Windows XP SP3 workstation are trying to access to a samba 3.5.4 share. I understand that the cifs/fqdn principal is auto-magically bound to the host/fqdn principal in the AD. But the cifs/fqdn principal is not added in keytab during net ads join (according to samba-source/libads/kerberos_keytab.c:507) So I can not use "kerberos method=system keytab" in smb.conf but I need to use "kerberos method = secrets and keytab" as a workaround. I would love to use "kerberos method=system keytab" :) I don't know if this behavior is wanted or not, but I cannot find an explanation in the doc. May be you should update the doc or the source code ? - Thomas
You can create the cifs/principal following "net ads join", e.g. "net ads keytab add cifs". This allows smbclient and Win XP desktops to authenticate, using only "kerberos method = system keytab". I don't know whether this is a bug in Samba or in the docs. It seems reasonable for "net ads join" to create host/fqdn alone, and for the sysadmin to add cifs/fqdn, nfs/fqdn or other entries as needed.