Bug 8004 - cifs/fqdn not in keytab and may be required when kerberos method=system keytab
Summary: cifs/fqdn not in keytab and may be required when kerberos method=system keytab
Status: NEW
Alias: None
Product: Samba 3.5
Classification: Unclassified
Component: File services (show other bugs)
Version: 3.5.4
Hardware: x64 Linux
: P5 normal
Target Milestone: ---
Assignee: Volker Lendecke
QA Contact: Samba QA Contact
Depends on:
Reported: 2011-03-10 10:21 UTC by Thomas Sondag
Modified: 2012-01-04 11:54 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Sondag 2011-03-10 10:21:05 UTC
Hi all,

For some reason the cifs/fqdn principals is used when smblclient -k or my Windows XP SP3 workstation are trying to access to a samba 3.5.4 share.

I understand that the cifs/fqdn principal is auto-magically bound to the host/fqdn principal in the AD.

But the cifs/fqdn principal is not added in keytab during net ads join (according to samba-source/libads/kerberos_keytab.c:507)

So I can not use "kerberos method=system keytab" in smb.conf but I need to use "kerberos method = secrets and keytab" as a workaround.

I would love to use "kerberos method=system keytab" :)

I don't know if this behavior is wanted or not, but I cannot find an explanation in the doc. May be you should update the doc or the source code ?

- Thomas
Comment 1 Philip Rowlands 2012-01-04 11:54:04 UTC
You can create the cifs/principal following "net ads join", e.g. "net ads keytab add cifs". This allows smbclient and Win XP desktops to authenticate, using only "kerberos method = system keytab".

I don't know whether this is a bug in Samba or in the docs. It seems reasonable for "net ads join" to create host/fqdn alone, and for the sysadmin to add cifs/fqdn, nfs/fqdn or other entries as needed.