Comment 27 for bug 1761737

> Above when you said "it works" after trying "net ads join", did you mean just the join, or that samba started to authenticate domain users normally?

After additionally trying "net ads join" samba started to authenticate domain users normally. I can access a shared directory with a domain user without smb crash.

> check if "net ads join" creates another entry in the keytab file
Yes, "net ads join" additionally adds cifs/* entries in the keytab file.

I'm asking <email address hidden> if an additional "net ads join" is necessary when joining to AD by realm and use sssd for authentication.

> After a lot of experimentation, I got my samba server, with "security = ads" but no winbind and no "net ads join" command, to authenticate an AD user using kerberos.
> What nailed it was to use setspn on the windows side to add cifs/<hostname> to the computer account, like this (for a "bionic-sssd" computer account):
>
> setspn -S cifs/bionic-sssd bionic-sssd

Same here! It is also working with adding SPN host/ instead of cifs/.

Is there any linux tool that can rpc and create SPNs on the DC?