[Samba] Access shares from DNS alias

Valentin Cheche valentin at cheche.ro
Sun Mar 9 08:13:21 MDT 2014 

Hello,

   I have setup a Samba 4 ADDC following the tutorial in the wiki. I
need it to be a DC and a fileserver.
   Everything works fine and dandy except that I cannot access the
file shares via a DNS alias, instead of the original hostname/DNS
name. And I need this for various reasons, enough to halt going live
with it if it doesn't work. :-(

   When accessing via the machine's fqdn everything works. When using
a DNS alias I can get to list the shares but I get access denied when
trying to get into them.

   I did not find any relevant info in the wiki or online for this
usecase with samba4. I may be wrong, but....I did spend hours
debugging this.

   I only stumbled upon the same problem when using Ms ADDC servers,
which pointed out 2 necessary configs in order for aliases to work:
1. Add the DisableStrictNameChecking value in the server-side registry
in the LanMan parameters.
2. Set the 2 required SPNs for every alias needed (windows tool syntax).
setspn -a host/aliasname targetserver_netbios_name
setspn -a host/aliasname.domain.ext targetserver_netbios_name

My env details:
   Hostname: dc0
   Domain: timco.int
   OS is Debian 7.4 x64
   Samba 4.1.5 compiled from master, domain deployed with Internal_DNS
   Network is composed from Win 7 SP1 x64 machines

   So, added the necessary SPNs:
samba-tool spn add HOST/file DC0$
samba-tool spn add HOST/file.timco.int DC0$

   Then I setup the alias to dc0.timco.int into DNS:
- first as a CNAME (file.timco.int) to dc0.timco.int  --> failed
- then as an A record pointing to the same IP as dc0.timco.int. --> failed

   Now am I missing something? I even remotely accessed the registry
tree Samba4 exposes and added the DisableStrictNameChecking value from
a Win machine.

   If there is a way to make this work, I have another, even more wierd usecase.
   I may need to expose the shares under an older DNS domain suffix,
different from the one in Samba4.
   Meaning: in an upstream DNS server I have an older suffix
(oldtim.local) that needs to stay around for a while and the old
fileserver was under fileserver.oldtim.local.
   Now if I point fileserver.oldtim.local (via A record or CNAME) to
the Samba4 server, is there a way to make it work? So far, it acts
just like file.timco.int. I can list the shares, but get access denied
when trying to dig in.

   As a sidenote, for now I am a complete noob in everything Kerberos,
and just learning now the paraphernalia and inner works of it, so
please bear with me. (I have a feeling the problem here lies in krb,
but not sure where to look.)


Thank you,
Val.

More information about the samba mailing list