[Samba] Failed to find cifs/fs-share at dom.corp (kvno 109) in keytab

L.P.H. van Belle belle at bazuin.nl
Tue Nov 5 16:39:55 UTC 2019

Hai Rowland, 

I'll explain a bit more on this. 

> Yes, if you are just using /etc/hosts , but AD uses dns and the dns 
> version of 'alias' is CNAME

Not debating that. 

But i use everything here, and you can combine that fine, if you know what your doing.

If you run : smbclient , what happens than..
You first make a DNS request, that goes through /etc/hosts 
then is goes to /etc/resolv.conf,
then dns is used that order,
Then ADDB is used for SPN lookups. 

This is for example a part of my webserver setup, where i use :
internal DNS request (samba DNS) and internet DNS and /etc/hosts on one host
All for 1 website, which is looking same if i use a pc in lan, of pc at home (DNS requests) 
But on the local server, i use an other hostname, for a protected part of that site, only accessable 
from the server by the server, requests through /etc/hosts only, because that hostname is only in /etc/hosts

That works fine, and yes even kerberos works on that hostname because it is just an alias. 
Resolving does the rest to make it work. 

What i dont use in my lan... accessing servers by IP, why, because if you only use hostname.(fqdns)
1) protecting it is better done if you setup only with hostname use.
2) if you did something wrong it just wont work. 
3) if your setup right, it always works. 
4) yeah, it might be a bit slower then using IP, but thats logical because you removed the dns requests..

This is why i hammer on DNS resolving to be correct. 

And yes, i im 100% agreeing that this : fs-a.dom.corp fs-a 

Should be the only correct one.

There are just to many options.. :-/' 

Good evening guys and girls, im heading home. 



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: dinsdag 5 november 2019 17:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Failed to find cifs/fs-share at dom.corp 
> (kvno 109) in keytab
> On 05/11/2019 15:55, L.P.H. van Belle via samba wrote:
> > Hai,
> >
> >>> Change this one.
> >>> /etc/hosts
> >>> fs-a.dom.corp fs-a oldsamba  # Old/wrong
> >>> fs-a.dom.corp fs-a oldsamba.dom.corp oldsamba  #
> >> new/correct
> >>> Or
> >>> fs-a.dom.corp fs-a oldsamba.dom.corp  # new/correct
> >> No, none of them are correct
> > No, Rowland, your really wrong here. ( i dont say that 
> often.. )  :-p
> > But i give you the doubt, once.. ;-), so show me why that 
> is incorrect..
> >
> >>> Here i personaly preffer :
> >>> fs-a.dom.corp fs-a
> >> But that is.
> > All examples i showed are correct, how people use it, is up to them.
> > I show why i say it is correct. what i showed complies with RFC's.
> > https://tools.ietf.org/html/rfc952
> > https://tools.ietf.org/html/rfc1123
> >
> > And handy to know.
> > 
> https://support.microsoft.com/en-us/help/2269810/microsoft-sup
> port-for-single-label-domains
> >
> > Format is :
> > IP	FQDN 	ALIAS (Optional other Aliasses.)
> >
> > I have things like this.
> > IP hostn1.domain1.tld hostn1 
> somenamehere.completlydiffernt.tld somenamehere whatever.dom.tld
> >
> > And All work fine with kerberos any alias.. because i have 
> 1 IP for 1 hostname and 1 PTR.
> > All other things, are CNAMES in DNS and if only used 
> locally on the server then i have it in /etc/hosts.
> Yes, if you are just using /etc/hosts , but AD uses dns and the dns 
> version of 'alias' is CNAME
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list