[Samba] Joining samba 3.6 to AD with SPN target name validation hardening
Rowland Penny
rpenny at samba.org
Thu Nov 23 12:23:46 UTC 2017
On Thu, 23 Nov 2017 13:07:20 +0100
Martin Bruset Solberg via samba <samba at lists.samba.org> wrote:
> Hi
>
> I'm trying to join a samba 3.6.23 client (RHEL 6.8) to a Windows
> Server 2012 R2 AD domain. The DC has been hardened with the GPO
> setting "Microsoft network server: Server SPN target name validation
> level" set to "Required from client".
>
> Attempting to join fails with "Failed to join domain: failed to
> lookup DC info for domain 'MY.DOMAIN.COM' over rpc: Access denied" on
> the client side. On the server side, the fail message is an Audit
> Failure: "Spn check for SMB/SMB2 fails." (Event 5168).
>
> Trying to join to the domain with samba client version 4.6.2 (RHEL
> 7.4) is successful.
>
> Setting the GPO setting to "Off", results in a successful join for
> RHEL 6.8.
>
> The smb.conf and krb5.conf is the same on the two different clients.
> Somehow the SPN is provided differently on the two samba versions, as
> the check fails on 3.6.23, but not on 4.6.2. Can I correct this
> behavior on 3.6 somehow? Is the answer in the krb5.conf?
>
>
> Martin Bruset Solberg
If both machines are using the same krb5.conf, then this isn't likely
to be the problem. If you insist on running 3.6.23, then you will
probably need to contact Red-hat support, 3.6 has been EOL for quite
sometime now as far as Samba is concerned and your problem isn't
likely to be fixed by Samba.
There have been very many changes in Samba since 3.6.23, so I suppose
the easiest fix would be to upgrade your Samba on the RHEL 6.8 machine.
Rowland
More information about the samba
mailing list