[Samba] Joining samba 3.6 to AD with SPN target name validation hardening

Martin Bruset Solberg martin.bruset.solberg at gmail.com
Thu Nov 23 12:07:20 UTC 2017


Hi

I'm trying to join a samba 3.6.23 client (RHEL 6.8) to a Windows Server
2012 R2 AD domain. The DC has been hardened with the GPO setting "Microsoft
network server: Server SPN target name validation level" set to "Required
from client".

Attempting to join fails with "Failed to join domain: failed to lookup DC
info for domain 'MY.DOMAIN.COM' over rpc: Access denied" on the client
side. On the server side, the fail message is an Audit Failure: "Spn check
for SMB/SMB2 fails." (Event 5168).

Trying to join to the domain with samba client version 4.6.2 (RHEL 7.4) is
successful.

Setting the GPO setting to "Off", results in a successful join for RHEL 6.8.

The smb.conf and krb5.conf is the same on the two different clients.
Somehow the SPN is provided differently on the two samba versions, as the
check fails on 3.6.23, but not on 4.6.2. Can I correct this behavior on 3.6
somehow? Is the answer in the krb5.conf?


Martin Bruset Solberg


More information about the samba mailing list