[Samba] netbios alias and AD trouble

Thu Dec 15 16:27:48 UTC 2016

2016-12-14 15:38 GMT+01:00 Robert Gehr via samba <samba at lists.samba.org>:

> Hello there
>
> I've got two samba servers srv1 and srv2
>
> smb.conf for srv1:
>         netbios aliases srv1-alias
>
> smb.conf for srv2:
>         netbios aliases srv2-alias
>
> DNS is configured all right and resolves the names. Each name has got
> its own IP address.
>
> Both servers are AD members, run as expected and can be connected to via
> their netbios and netbios alias names.
>
> If, for example, srv1 fails I want to add the netbios alias name
> "srv1-alias" to the smb.conf of srv2 like so:
>
> smb.conf for srv2:
>         netbios aliases srv1-alias srv2-alias
>
> The ip address for srv1-alias fails over to srv2 via pacemaker and after
> a restart of samba on srv2 I can still access shares
> via \\srv2\share, and \\srv2-alias\share but when i try to connect to
> \\srv1-alias\share I get the following in log.smbd:
>
> [2016/12/14 14:26:26.302876,  1]
> ../source3/librpc/crypto/gse.c:497(gse_get_server_auth_token)
>    gss_accept_sec_context failed with [ Miscellaneous failure (see
> text): Failed to find cifs/srv1-alias.mydom.local at MYDOM.LOCAL(kvno 2) in
> keytab MEMORY:cifs_srv_keytab (aes256-cts-hmac-sha1-96)]
> [2016/12/14 14:26:26.302905,  1]
> ../auth/gensec/spnego.c:545(gensec_spnego_parse_negTokenInit)
>    SPNEGO(gse_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> [2016/12/14 14:26:26.302925,  2]
> ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
>    SPNEGO login failed: NT_STATUS_LOGON_FAILURE
>
>
> My /etc/krb5.keytab on srv2
>
> host/srv2-alias.mydom.local at MYDOM.LOCAL
> host/SRV2 at MYDOM.LOCAL
> host/srv2-alias.mydom.local at MYDOM.LOCAL
> host/SRV2 at MYDOM.LOCAL
> host/srv2-alias.mydom.local at MYDOM.LOCAL
> host/SRV2 at MYDOM.LOCAL
> srv2$@MYDOM.LOCAL
> srv2$@MYDOM.LOCAL
> srv2$@MYDOM.LOCAL
>
> This happens when I connect from a Win7 client. If I connect via a Linux
> client it works.
>
>
> Do I have to add something to the keytab file? If so, how?
>
> What am I missing?
>
>
> Help is greatly appreciated.
>
> Best regards
>
> Rob
>
>
>
>
> Gruß
> Robert Gehr
>
>
> „Habe ich eine Tat vollbracht, so soll die mein Denkmal sein;
> und wenn nicht, so helfen alle Bildsäulen nichts.“
>                                                    ―Plutarch
>
>
>
>
In DNS you can declare CNAMEs which are aliases and AD is shipped with DNS
: )
Now to make [not necessarily too] complex things with Samba AD DNS I would
advise to use BIND as DNS backend.

Then regarding keytab, it seems to me you would have to add SPN to your
hosts, SPN related to the aliases. Then you'll have to add these newly
created SPN into your keytab.
And if you want srv2 can act as if ti was srv1 when srv1 is down, I expect
the keytab of srv2 would need to be filled with srv1 stuffs, but I'm not
too familiar with all that...