[Samba] Moving a Server - Best Practice
L.P.H. van Belle
belle at bazuin.nl
Tue Jan 26 08:23:51 UTC 2021
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
> With AD member server, if you leave the domain on the old server `net ads > leave` and then add the old server's netbios name as a `netbios alias` on > the new one before joining, then libnet will add the relevant kerberos SPN > entry in AD so that kerberos auth still works via the old name. If you
> perform a simple cname record addition without moving the kerberos spn,
> then more often than not clients will not be able to authenticate (won't
> downgrade from kerberos to ntlm). But generally in an AD environment I
> prefer to use GPO to manage mapped shares on Windows clients so that the
> majority of client reconfiguration just happens via group policy update.
Yes. But in the ?move? example I showed, you can keep your old server on untill the new is finished, also, kerberos works fine with CNAME?s.
Second, you should not use single lable names ?like? netbios names for shares. FQDN is recommended, and yes, i also map drives from GPO, i did set these in 2015 when i started and never changed it.
but i did changed my server 2 times.
For all my members i follow this as guideline.
hostname.sub.dom.tld use the FQDN
hostname = netbios name ( proxy dns = yes in smb.conf )
hostname.sub.dom.tld DNS A
IP nr DNS PTR
use-ablename.sub.dom.tld DNS CNAME ( like fs1 or dns1 or ntp1 or all, depends on the server its use ).
Read : https://web.mit.edu/kerberos/krb5-devel/doc/admin/princ_dns.html
And i do set the folling spns in general on the ?real? hostname.
And offcourse i have the SPN names of the domain join.
So what is the need/extra to use the netbois alias on the new one before joining. There is none.. (sorry)..
Kerberos works fine like this and yes, maybe you want to add a SPN,
but thats normal if you need something extra.
What i make of above is,
You use aliases but in a wrong matter, or at least, in time it might bite you. Stop using single lable names and start using FQDN?s.
Your thoughts where right, but the execution not in my opinion. (sorry).
More information about the samba