> Rakesh> The issue is that in the Windows KDC, an SPN can not be
> Rakesh> used as a "user" for authentication and computers normally
> Rakesh> do not contain a UPN entry.
>
>That is not my understanding of the Microsoft KDC architecture. This
>claim also goes against interoperability tests I have conducted with
>Microsoft.


If I remember correctly, Rakesh is right. To do an AS-REQ you must
use the UPN or the SAM account name (regardless of the account type).

>Samba's handling of short names and Kerberos principals seems
>different than the Microsoft tools and tends to work much less of the
>time. IT would be great to see it more consistent with the Windows
>domain join procedure.


There are a bunch of fixes in 3.0.9, YMMV.

-- Luke

--