[Samba] Moving a Server - Best Practice

L.P.H. van Belle belle at bazuin.nl
Tue Jan 26 08:23:51 UTC 2021




-- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

> With AD member server, if you leave the domain on the old server `net ads > leave` and then add the old server's netbios name as a `netbios alias` on > the new one before joining, then libnet will add the relevant kerberos SPN > entry in AD so that kerberos auth still works via the old name. If you 
> perform a simple cname record addition without moving the kerberos spn,
> then more often than not clients will not be able to authenticate (won't 
> downgrade from kerberos to ntlm). But generally in an AD environment I
> prefer to use GPO to manage mapped shares on Windows clients so that the
> majority of client reconfiguration just happens via group policy update.




Yes. But in the ?move? example I showed, you can keep your old server on untill the new is finished, also, kerberos works fine with CNAME?s.  
Second, you should not use single lable names ?like? netbios names for shares. FQDN is recommended, and yes, i also map drives from GPO, i did set these in 2015 when i started and never changed it. 
but i did changed my server 2 times. 

For all my members i follow this as guideline. 

hostname.sub.dom.tld  use the FQDN 
hostname = netbios name ( proxy dns = yes in smb.conf )

hostname.sub.dom.tld  DNS A 
IP nr			    DNS PTR
use-ablename.sub.dom.tld  DNS CNAME ( like fs1 or dns1 or ntp1 or all, depends on the server its use ).
Read : https://web.mit.edu/kerberos/krb5-devel/doc/admin/princ_dns.html 

And i do set the folling spns in general on the ?real? hostname.
cifs/hostname.sub.dom.tld 
nfs/ hostname.sub.dom.tld 
And offcourse i have the SPN names of the domain join. 

So what is the need/extra to use the netbois alias on the new one before joining. There is none.. (sorry)..  
Kerberos works fine like this and yes, maybe you want to add a SPN, 
but thats normal if you need something extra. 

What i make of above is, 
You use aliases but in a wrong matter, or at least, in time it might bite you. Stop using single lable names and start using FQDN?s. 
Your thoughts where right, but the execution not in my opinion. (sorry). 

And read: 
https://docs.microsoft.com/en-US/troubleshoot/windows-server/networking/dns-cname-alias-cannot-access-smb-file-server-share 


Greetz, 

Louis







More information about the samba mailing list