[Samba] several offices: home dirs, local resources, ...

Michael Tokarev mjt at tls.msk.ru
Tue Nov 22 10:39:19 UTC 2022

21.11.2022 21:06, Kris Lou via samba wrote:
> Another (potentially simpler, but less secure?) way of dealing with this
> might be some sort of split-horizon DNS:
> * Point your clients at a different (internal, per site) DNS Server (DNS-A)
> * Have this DNS Server (DNS-A) refer samdom.tld requests to your AD-DC, and
> all others upstream.
> * Configure specific CNAME overrides and redirections on DNS-A, i.e.
> fs.samdom.tld to site1-fs.samdom.tld
> This way, your DC only handles AD-related DNS queries, but requests to
> fs.samdom.tld should never get that far.

That smells pretty much like what I need.  I just tried to implement this one.
Thank you very much for an interesting suggestion!

And immediately faced a problem: there seems can't be more than one server per

I mean, site1 already have FS name registred. I also want site2 to register
this name (in their location). But this fails, when adding ServicePrincipalName
due to unique constraint.  Without adding an SPN for "fs", the member server
fails to autenticate:

[2022/11/22 13:07:53.558416,  1] ../../source3/librpc/crypto/gse.c:695(gse_get_server_auth_token)
   gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/FS at TLS.MSK.RU(kvno 2) in keytab MEMORY:cifs_srv_keytab 

Were you able to work around this restriction?

> I've done this with site-specific fileshares, and also routing traffic over
> a VPN instead of over the public internet.

Thank you!


More information about the samba mailing list