[Samba] Samba and CNAME

L.P.H. van Belle belle at bazuin.nl
Tue Jul 24 08:56:37 UTC 2018 

You can remember this. 

If you join a server, that make sure that that servers "hostname" gets an A and PTR record. 
The PTR is most important. Now if you creat a CNAME now, through PTR it knows its "original" hostname
And kerberos works, this is how i do all my setups. 

As example. 

REALM : INTERNAL.EXAMPLE.COM
FQDN : test-dc1.internal.example.com
Hostname: test-dc1
SPN HOST/TEST-DC1
SPN HOST/test-dc1.internal.example.com

A 	test-dc1
PTR	192.168.1.1
ZONE 	internal.example.com

What works. 
ZONE internal.example.com
CNAME	ntp1 => test-dc1
CNAME ntp2 => test-dc2

CNAME PDC  => test-dc1  ! NOTE, NOT PDC from Primary Domain Controller in NT4.0 domains, Just primary ( the one with FSMO )
CNAME BDC1  => test-dc2  ! NOTE, NOT BDC from BACKUP Domain Controller in NT4.0 domains, Just an extra DC
CNAME BDC2  => test-dc2  ! NOTE, NOT BDC from BACKUP Domain Controller in NT4.0 domains, Just an extra DC
CNAME BDC3  => test-dc2  ! NOTE, NOT BDC from BACKUP Domain Controller in NT4.0 domains, Just an extra DC
Yes i know, a bit of a bad example, but this is very clear.

Other example. 
Zone example.com 
CNAME www.example.com => www.internal.example.com

ZONE internal.example.com
CNAME www.internal.example.com test-dc1.internal.example.com

And yes, you kerberos auth still works. 

And you dont need to add extra SPN's for aliases that is if you DNS setup is correct.
Just remember, every server must have an A and PTR record, save you a lot of problems. 
And best is to point your CNAME to FQDN. 

I hope these example helps a bit. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Henry Jensen via samba
> Verzonden: dinsdag 24 juli 2018 10:37
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba and CNAME
> 
> Hello,
> 
> On Sun, 22 Jul 2018 15:00:58 +0200
> Henry Jensen via samba <samba at lists.samba.org> wrote:
> 
> > we successfully migrated from a Samba 3.x NT Domain to a 
> Samba AD Domain
> > using Samba 4.7.x.
> > 
> > However, there are still some issues and I hope for your help.
> > 
> > The biggest problem so far follows:
> > 
> > For historical reasons our Samba file servers carry a lot 
> of aliases.
> > Now that they have become AD Members I did set a lot of 
> CNAMEs in the AD
> > DNS (using the Windows DNS Tool). Most of the aliases do 
> work, but not
> > the CNAMEs which carry the name of server which did previuosly exit.
> > 
> > E.g. we used to have a server named smb6. I rsync'd the content to a
> > new server named smb8, shut down the old server  and set a 
> CNAME smb6
> > pointing to smb8.
> > 
> > Using Windows 7 no problem to access the server with \\smb6.
> > 
> > Using Windows 10 I can't access it. \\smb8 and other CNAMEs do work.
> > 
> > Then I deleted the smb6 computer account in AD.
> > 
> > Then I found out, that I might have to add a Kerberos SPN, which
> > I did using:
> > 
> >   samba-tool spn add HOST/smb6 smb8$
> > 
> > Still no luck accessing that server unter this specific CNAME unter
> > Windows 10.
> > 
> > Any suggestions?
> 
> 
> After two days it suddenly works. After adding the SPN I didn't change
> anything. Of course I did execute "net cache flush" and friends after
> setting  the SPN, but somehow it must have been cached elsewhere.
> 
> Kind regards, 
> 
> Henry
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

More information about the samba mailing list