[Samba] I want to use CNAMES for my SAMBA server, how?

Hansjörg Maurer Hansjoerg.Maurer at dlr.de
Tue Jul 11 13:51:16 GMT 2006


Hi

I asked a similar question half a year ago on the list and I try to
sumaries the results
Search the thread kerberos netbios alias in 01/2006 samba-technical list
Question:

>Hi,
>> 
>> we are running a samba server in a w2k3 AD Domain.
>> 
>> The server has the netbios name
>> netbios name = RM-SAMBA01
>> and several netbios aliases
>> netbios aliases = PRINTSERVER, RM-SW, RM-OS-IMAGES, RM-USERSTORE,
>> PUBLICATIONS
>> 
>> When a user connects from a Windows workstation (logged in to the
>> domain) to rm-samba01,
>> hw gets acces without beeing prompted to a password.
>> If he connects to PRINTSERVER he is asked for a password.
>> Even if he enters DOMAIN\username
>> pair, access is denied.
>> 
>> samba logs
>> [2005/12/28 21:19:24, 1] smbd/sesssetup.c:reply_spnego_kerberos(180)
>>   Failed to verify incoming ticket!
>> 
>> The problem is not reproducable.
>> Some workstation can connect to printserver without a password prompt.
>> 
>> I have tried to join the domain
>> with the netbios alias names to,
>> but with no success (join works fine, but problem still exists).
>> net ads join "Computers" -n printserver
>> 
>> Do I have to take special care with samba, netbios aliases and kerberos?
>> Do I have to use a special kerberos configuration?
>  
>

Answer from Andrew Bartlett
Yes.  You must expand the list of servicePrincipalName entries in

Samba's AD entry.  A good LDAP tool should help you there.

Results:

Hi

your suggestion solved our problem.

We added 4 entries in servicePrincipalName
CIFS/printserver
CIFS/printserver.ntrobotic.robotic.dlr.de
HOST/printserver
HOST/printserver.ntrobotic.robotic.dlr
which seems to solve the problem.
Additionaly we added
"ntrobotic.robotic.dlr.de/Computers/printserver"
as an additional kerberos name in AD Computer Properties,
but we are not sure, if this is necessary.

The error message does not occur any more

Thank you very much

Hansjörg



Don Meyer wrote:

> At 08:15 PM 7/10/2006, Gerald (Jerry) Carter wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Don Meyer wrote:
>>
>> > My question though is what are the ramifications of
>> > a similar situation:   Where the CNAME might be
>> > dynamically moved to point to another system's base
>> > IP address in the case of a transfer of service/fail-over.
>> > Does this servicePrincipalName for the FQDN need to
>> > be deleted and added to the new host's object, or
>> > can the same servicePrincipalName be added to each
>> > machine's object?  -- each machine that might be
>> > used to host that service address, that is...
>>
>> Maybe I misunderstood the original questions.  Are we
>> trying top get krb5 authentcation working with cname
>> records?  Is the client actuall requesting a service
>> ticket cifs/${name} and the request is failing?
>> Or is something else wrong?  I admit I only briefly
>> read the original post.
>
>
> The original poster (Roy Mann) indicated that he was having krb5
> authentication failures when his clients were using a CNAME (FQDN) to
> connect instead of the server's base (A record) FQDN.   It works when
> using the base FQDN.  The reason he is trying to employ CNAMEs in his
> resource mappings is to facilitate the fail-over process without
> having to change significant numbers of mappings, etc. in the case of
> a system failure and fail-over.
>
> My first question was asking about the logical extension of this --
> What has to happen at fail-over (CNAME transfer)?   If you have
> multiple machines which might someday be pointed to by the CNAME, can
> you pre-add the servicePrincipalName using the CNAME to each server's
> object in the manner you suggest?    This way, only the DNS needs to
> be adjusted to move the CNAME, and as the change propagates the
> clients should start using the new server.
>
> However, if the serverPrincipalName must be unique, and can only be
> associated with one server object in the AD at any given time, then
> this would imply that in order to move the CNAME, one would first need
> to use the utility you suggest to edit the AD and transfer the
> serverPrincipalName to another server object.
>
> So which case is it?   (I'm hoping for the former, but knowing MS, I'd
> bet money on the latter...)
>
>
> (After that first question, I then jumped deeper into the issue -- but
> let's back out and get this level dealt with first... ;-)
>
> Cheers,
> -D
>
>
>
> Don Meyer                                           <dlmeyer at uiuc.edu>
> Network Manager, ACES Academic Computing Facility
> Technical System Manager, ACES TeleNet System
> UIUC College of ACES, Information Technology and Communication Services
>
>   "They that can give up essential liberty to obtain a little
> temporary safety,
>         deserve neither liberty or safety."     -- Benjamin Franklin,
> 1759


-- 
_________________________________________________________________

Dr.  Hansjoerg Maurer           | LAN- & System-Manager
                                |
Deutsches Zentrum               | DLR Oberpfaffenhofen
  f. Luft- und Raumfahrt e.V.   |
Institut f. Robotik             |
Postfach 1116                   | Muenchner Strasse 20
82230 Wessling                  | 82234 Wessling
Germany                         |
                                |
Tel: 08153/28-2431              | E-mail: Hansjoerg.Maurer at dlr.de
Fax: 08153/28-1134              | WWW: http://www.robotic.dlr.de/
__________________________________________________________________


There are 10 types of people in this world, 
those who understand binary and those who don't.



More information about the samba mailing list