[Samba] Win10 and NT mode: netlogon script seems does not run anymore.

Nick Howitt nick at howitts.co.uk
Thu Aug 27 10:39:12 UTC 2020 


On 27/08/2020 10:59, Rowland penny via samba wrote:
> 
> On 27/08/2020 08:49, L.P.H. van Belle via samba wrote:
>> https://support.microsoft.com/en-us/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias 
>>
>> @Rowland  have a good look at this one. This one is hitting the list.. 
>> (i have seen this problem also).
> I think everyone knows my views on NT4-style domains, they were a good 
> idea at the time, but that time is most definitely not now ;-)
> 
> The link Louis provided is interesting, it seems to backup what I have 
> always thought, you cannot use a CNAME for an NT4-style domain, but for 
> a reason I never thought of, kerberos.
> 
> The link says 'Important Do not use DNS CNAMEs in the future for file 
> servers.', but then goes on to tell you how to use them.
> 
> If you want to still give "alternate names" to servers, you can do so 
> with the following command:
> NETDOM COMPUTERNAME /ADD
> 
> Which is wrong/incomplete, it should be:
> netdom computername <computers short hostname> /add:<fully qualified CNAME>
> 
> Though I cannot get it to work from a Win10 computer
> 
> What amused me was the section headed 'Not recommended', where they then 
> went on to tell you to not set SPN's on non Windows fileservers and how 
> to do it :D
> 
>  From reading the link it looks like 'samba-tool dns add <server> <zone> 
> <name> <CNAME> fqdn_string' should be updated to allow adding SPN's
> 
> Another thought I had was, perhaps 'smb ports = 139' should be set in an 
> NT4-style PDC smb.conf
> 
> Rowland
> 
Thanks for your responses. I agree about NT4 domains, but ClearOS uses 
the Centos packages and so is stuck with the Centos product.

I have had success running Samba AD/DC in a docker container in ClearOS 
then using Centos' samba in ClearOS as a domain member for file shares 
but there is a horrible binding issue which does not quite work (socket 
address does not respect the "interfaces parameter" and binds to all 
ports, stopping the docker instance from starting. It can be got round 
by setting "socket address" to one of your LAN interface IP's, but I've 
no idea how it behaves if you have multiple LAN NICs as you can only set 
it to one IP).

I've updated the howto that I linked to to add the full FQDN's.

With respect to the CNAME issue, there is a workaround when connecting 
to servers running SMB1. Does this mean it is not an issue for servers 
not running SMB1 or does it mean there is no resolution for servers 
running SMB1? I can't work it out from the report.

Nick

More information about the samba mailing list