[Samba] using aliases for samba servers in an AD

Christian Naumer cn at brain-biotech.de
Fri Feb 18 11:45:55 UTC 2022


Hi,
last time I did this using just CNAMEs worked with Windows as a client. 
For us it just was smbclient that didn't work. However, adding cifs/tsrv 
as SPN for that computer should fix it (it did for us)

Regards

Christian

Am 18.02.22 um 12:25 schrieb Michael Tokarev via samba:
> Hello!
> 
> We observed that after setting up a samba AD, we can't connect to -
> at least - linux samba servers with kerberos auth using alternative
> names.
> 
> We always had CNAMEs for role names in DNS, and those CNAMEs work
> right now too, after AD setup.
> 
> In particular, there's a server named "tsrv" (with A record), and
> a CNAME "fs" pointing to it (stands for File Server).
> 
> DNS resolution works, - either short name or long name (with .tls.msk.ru
> domain) can be used.
> 
> But samba does not work:
> 
> $ smbclient //tsrv/mjt -U mjt -k
> gensec_spnego_client_negTokenInit_step: gse_krb5: creating 
> NEG_TOKEN_INIT for cifs/fs failed (next[(null)]): 
> NT_STATUS_INVALID_PARAMETER
> session setup failed: NT_STATUS_INVALID_PARAMETER
> 
> $ smbclient //tsrv/mjt -U mjt -k
> Try "help" to get a list of possible commands.
> smb: \>
> 
> $ smbclient //fs.tls.msk.ru/mjt -U mjt -k
> gensec_spnego_client_negTokenInit_step: gse_krb5: creating 
> NEG_TOKEN_INIT for cifs/fs.tls.msk.ru failed (next[(null)]): 
> NT_STATUS_INVALID_PARAMETER
> session setup failed: NT_STATUS_INVALID_PARAMETER
> 
> $ smbclient //tsrv.tls.msk.ru/mjt -U mjt -k
> Try "help" to get a list of possible commands.
> smb: \>
> 
> both names resolves:
> 
> $ dnsget fs
> fs.tls.msk.ru. CNAME tsrv.tls.msk.ru.
> tsrv.tls.msk.ru. A 192.168.177.2
> 
> What's wrong with using CNAMEs?
> 
> Thanks,
> 
> /mjt
> 

-- 
Dr. Christian Naumer
Vice President
Unit Head Bioprocess Development

BRAIN Biotech AG
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.com, homepage www.brain-biotech.com
phone +49-6251-9331-30 / fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Adriaan Moelker (Vorstandsvorsitzender), 
Lukas Linnig
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen


More information about the samba mailing list