Hi James, (Sorry, I was on digest mode, but have switched it off...) Here are the respective smb.conf and krb5.conf files. [root at bk001 ~]# smbd -V Version 3.5.10-0.107.el5 [root at bk001 ~]# cat /etc/samba/smb.conf [global] workgroup = MYCOMPANY realm = MYCOMPANY.TV server string = bk001 v %v log file = /var/log/samba/log.smbd security = ADS client NTLMv2 auth = yes encrypt passwords = yes #password server = * password server = 10.100.1.11 10.100.1.10 allow trusted domains = No passdb backend = tdbsam socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE load printers = no show add printer wizard = no disable spoolss = yes kernel oplocks = no printing = sysv printcap name = /dev/null unix extensions = no preferred master = No local master = No #use kerberos keytab = yes kerberos method = system keytab client ldap sasl wrapping = sign idmap backend = tdb idmap uid = 200001-999999 idmap gid = 200001-999999 idmap config MYCOMPANY: backend = rid idmap config MYCOMPANY: base_range = 2000 idmap config MYCOMPANY: range = 2000-200000 winbind use default domain = Yes winbind nss info = template winbind separator = + winbind enum users = Yes winbind enum groups = Yes log level = winbind:1 idmap:3 syslog = 1 max log size = 50 smb ports = 445 mangled names = No client use spnego = yes client use spnego principal = yes [dist] comment = share for dist path = /array/dist veto files = /autorun.inf/Thumbs.db/.TemporaryItems/ browseable = yes read only = no guest ok = yes create mask = 0664 security mask = 0664 directory mask = 0775 force directory mode = 0775 directory security mask = 0775 map acl inherit = Yes [root at bk001 ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYCOMPANY.TV dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 3d forwardable = true clockskew = 120 default_keytab_name = FILE:/etc/krb5.keytab default_tkt_enctypes = des-cbc-crc rc4-hmac default_tgs_enctypes = des-cbc-crc rc4-hmac permitted_enctypes = des-cbc-crc rc4-hmac allow_weak_crypto = true udp_preference_limit = 1 [realms] MYCOMPANY.TV = { kdc = dc02.mycompany.tv:88 kdc = dc01.mycompany.tv:88 admin_server = dc02.mycompany.tv:749 master_kdc = dc02.mycompany.tv default_domain = mycompany.tv } [domain_realm] .mycompany.tv = MYCOMPANY.TV mycompany.tv = MYCOMPANY.TV [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } kinit = { ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true } ---- [root at nas002 ~]# smbd -V Version 3.3.8-0.52.el5_5.2 [root at nas002 ~]# cat /etc/samba/smb.conf [global] workgroup = MYCOMPANY realm = MYCOMPANY.TV server string = nas002 v %v name resolve order = host bcast wins lmhosts security = ADS client NTLMv2 auth = yes encrypt passwords = yes allow trusted domains = No passdb backend = tdbsam socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE load printers = no show add printer wizard = no disable spoolss = yes kernel oplocks = no printing = sysv printcap name = /dev/null unix extensions = no preferred master = No local master = No use kerberos keytab = yes idmap backend = rid idmap uid = 2000-200000 idmap gid = 2000-200000 winbind use default domain = Yes winbind separator = + winbind enum users = Yes winbind enum groups = Yes winbind refresh tickets = yes log file = /var/log/samba/log.smbd max log size = 50 log level = winbind:1 idmap:1 syslog = 1 smb ports = 445 mangled names = No client use spnego = yes [nfs4test] comment = Work Area path = /array/nfs4test veto files = /autorun.inf/Thumbs.db/.TemporaryItems/ browseable = yes read only = yes guest ok = yes create mask = 0664 security mask = 0664 directory mask = 0775 force directory mode = 0775 directory security mask = 0775 map acl inherit = Yes [root at nas002 ~]# cat /etc/krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = MYCOMPANY.TV dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 3d forwardable = true clockskew = 120 default_keytab_name = FILE:/etc/krb5.keytab default_tkt_enctypes = des-cbc-crc rc4-hmac default_tgs_enctypes = des-cbc-crc rc4-hmac permitted_enctypes = des-cbc-crc rc4-hmac allow_weak_crypto = true udp_preference_limit = 1 [realms] MYCOMPANY.TV = { kdc = dc02.mycompany.tv:88 kdc = dc01.mycompany.tv:88 admin_server = dc02.mycompany.tv:749 master_kdc = dc02.mycompany.tv default_domain = mycompany.tv } [domain_realm] .mycompany.tv = MYCOMPANY.TV mycompany.tv = MYCOMPANY.TV [appdefaults] pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false } kinit = { ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true } When I did the 'net ads join -U <username>' command (no createupn option), the W2008K R2 DC only created the SPNs, there was no UPN attrib. created. [root at bk001 ~]# ldapsearch -LLL '(samaccountname=bk001$)' | grep Name SASL/GSSAPI authentication started SASL username: administrator at MYCOMPANY.TV SASL SSF: 56 SASL installing layers distinguishedName: CN=bk001,CN=Computers,DC=MYCOMPANY,DC=TV sAMAccountName: bk001$ dNSHostName: bk001.mycompany.tv servicePrincipalName: HOST/bk001.mycompany.tv servicePrincipalName: HOST/BK001 thanks again, Janice > Please provide your smb.conf and krb5.conf files as well. BTW: the createupn is not required on Win2K8R2 as this credential is passed now (according to MS) [snip]