For some reason the cifs/fqdn principals is used when smblclient -k or my Windows XP SP3 workstation are trying to access to a samba 3.5.4 share.
I understand that the cifs/fqdn principal is auto-magically bound to the host/fqdn principal in the AD.
But the cifs/fqdn principal is not added in keytab during net ads join (according to samba-source/libads/kerberos_keytab.c:507)
So I can not use "kerberos method=system keytab" in smb.conf but I need to use "kerberos method = secrets and keytab" as a workaround.
I would love to use "kerberos method=system keytab" :)
I don't know if this behavior is wanted or not, but I cannot find an explanation in the doc. May be you should update the doc or the source code ?
You can create the cifs/principal following "net ads join", e.g. "net ads keytab add cifs". This allows smbclient and Win XP desktops to authenticate, using only "kerberos method = system keytab".
I don't know whether this is a bug in Samba or in the docs. It seems reasonable for "net ads join" to create host/fqdn alone, and for the sysadmin to add cifs/fqdn, nfs/fqdn or other entries as needed.