[Samba] using aliases for samba servers in an AD

Michael Tokarev mjt at tls.msk.ru
Fri Feb 18 11:25:36 UTC 2022


Hello!

We observed that after setting up a samba AD, we can't connect to -
at least - linux samba servers with kerberos auth using alternative
names.

We always had CNAMEs for role names in DNS, and those CNAMEs work
right now too, after AD setup.

In particular, there's a server named "tsrv" (with A record), and
a CNAME "fs" pointing to it (stands for File Server).

DNS resolution works, - either short name or long name (with .tls.msk.ru
domain) can be used.

But samba does not work:

$ smbclient //tsrv/mjt -U mjt -k
gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/fs failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER

$ smbclient //tsrv/mjt -U mjt -k
Try "help" to get a list of possible commands.
smb: \>

$ smbclient //fs.tls.msk.ru/mjt -U mjt -k
gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/fs.tls.msk.ru failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER

$ smbclient //tsrv.tls.msk.ru/mjt -U mjt -k
Try "help" to get a list of possible commands.
smb: \>

both names resolves:

$ dnsget fs
fs.tls.msk.ru. CNAME tsrv.tls.msk.ru.
tsrv.tls.msk.ru. A 192.168.177.2

What's wrong with using CNAMEs?

Thanks,

/mjt



More information about the samba mailing list