[Samba] I want to use CNAMES for my SAMBA server, how?

Don Meyer dlmeyer at uiuc.edu
Tue Jul 11 04:27:11 GMT 2006 

At 08:15 PM 7/10/2006, Gerald (Jerry) Carter wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Don Meyer wrote:
>
> > My question though is what are the ramifications of
> > a similar situation:   Where the CNAME might be
> > dynamically moved to point to another system's base
> > IP address in the case of a transfer of service/fail-over.
> > Does this servicePrincipalName for the FQDN need to
> > be deleted and added to the new host's object, or
> > can the same servicePrincipalName be added to each
> > machine's object?  -- each machine that might be
> > used to host that service address, that is...
>
>Maybe I misunderstood the original questions.  Are we
>trying top get krb5 authentcation working with cname
>records?  Is the client actuall requesting a service
>ticket cifs/${name} and the request is failing?
>Or is something else wrong?  I admit I only briefly
>read the original post.

The original poster (Roy Mann) indicated that he was having krb5 
authentication failures when his clients were using a CNAME (FQDN) to 
connect instead of the server's base (A record) FQDN.   It works when 
using the base FQDN.  The reason he is trying to employ CNAMEs in his 
resource mappings is to facilitate the fail-over process without 
having to change significant numbers of mappings, etc. in the case of 
a system failure and fail-over.

My first question was asking about the logical extension of this -- 
What has to happen at fail-over (CNAME transfer)?   If you have 
multiple machines which might someday be pointed to by the CNAME, can 
you pre-add the servicePrincipalName using the CNAME to each server's 
object in the manner you suggest?    This way, only the DNS needs to 
be adjusted to move the CNAME, and as the change propagates the 
clients should start using the new server.

However, if the serverPrincipalName must be unique, and can only be 
associated with one server object in the AD at any given time, then 
this would imply that in order to move the CNAME, one would first 
need to use the utility you suggest to edit the AD and transfer the 
serverPrincipalName to another server object.

So which case is it?   (I'm hoping for the former, but knowing MS, 
I'd bet money on the latter...)


(After that first question, I then jumped deeper into the issue -- 
but let's back out and get this level dealt with first... ;-)

Cheers,
-D



Don Meyer                                           <dlmeyer at uiuc.edu>
Network Manager, ACES Academic Computing Facility
Technical System Manager, ACES TeleNet System
UIUC College of ACES, Information Technology and Communication Services

   "They that can give up essential liberty to obtain a little 
temporary safety,
         deserve neither liberty or safety."     -- Benjamin Franklin, 1759

More information about the samba mailing list