[Samba] adding server aliases after joining to a domain

Michael Tokarev mjt at tls.msk.ru
Tue Nov 22 10:35:08 UTC 2022


22.11.2022 13:20, Kees van Vloten via samba wrote:
> 
> Op 22-11-2022 om 11:13 schreef Michael Tokarev via samba:
>> Hi!
>>
>> I've added a second name for a server, after it has been successfully joined to the
>> domain.  But how to configure it so it knows its own secondary name(s) and request
>> kerberos ticket for it?
>>
>> [2022/11/22 13:07:53.558416,  1] ../../source3/librpc/crypto/gse.c:695(gse_get_server_auth_token)
>>   gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/FS at TLS.MSK.RU(kvno 2) in keytab MEMORY:cifs_srv_keytab 
>> (arcfour-hmac-md5)]
>>
>> This is server named SVFSP, with an alias FS (File Server).
> 
> Not sure what you mean exactly but I assume you want to add an SPN to a computer or user object?

It looks like, yes.

> samba-tool spn add <principal> <acoount>

Aha.

This can also be modified by editing the computer account, adding
servicePrincipalName attribute.

But now I've an interesting issue.  It looks like there can't be
more than one server with the same SPN.

check_spn_direct_collision: SPN 'CIFS/FS' is on 'CN=TSRV,CN=Computers,DC=tls,DC=msk,DC=ru' so it can't be added to 
'CN=SVFSP,CN=Computers,DC=tls,DC=msk,DC=ru'
samldb_spn_uniqueness_check: SPN CIFS/FS failed direct uniqueness check
ERROR(ldb): Failed to modify computer 'svfsp':  - samldb: spn[CIFS/FS] would cause a conflict

>> BTW, can there be several FSes in the same domain?

Here was the second part of my question.

This is my second attempt to assign a short name for
a server in a remote office.  After this suggestion:

https://lists.samba.org/archive/samba/2022-November/242835.html

Can it be made to work?

Thanks,

/mjt



More information about the samba mailing list