[Samba] adding server aliases after joining to a domain

Kees van Vloten keesvanvloten at gmail.com
Tue Nov 22 10:42:12 UTC 2022 

Op 22-11-2022 om 11:35 schreef Michael Tokarev:
> 22.11.2022 13:20, Kees van Vloten via samba wrote:
>>
>> Op 22-11-2022 om 11:13 schreef Michael Tokarev via samba:
>>> Hi!
>>>
>>> I've added a second name for a server, after it has been 
>>> successfully joined to the
>>> domain.  But how to configure it so it knows its own secondary 
>>> name(s) and request
>>> kerberos ticket for it?
>>>
>>> [2022/11/22 13:07:53.558416,  1] 
>>> ../../source3/librpc/crypto/gse.c:695(gse_get_server_auth_token)
>>>   gss_accept_sec_context failed with [ Miscellaneous failure (see 
>>> text): Failed to find cifs/FS at TLS.MSK.RU(kvno 2) in keytab 
>>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>>
>>> This is server named SVFSP, with an alias FS (File Server).
>>
>> Not sure what you mean exactly but I assume you want to add an SPN to 
>> a computer or user object?
>
> It looks like, yes.
>
>> samba-tool spn add <principal> <acoount>
>
> Aha.
>
> This can also be modified by editing the computer account, adding
> servicePrincipalName attribute.
>
> But now I've an interesting issue.  It looks like there can't be
> more than one server with the same SPN.
>
> check_spn_direct_collision: SPN 'CIFS/FS' is on 
> 'CN=TSRV,CN=Computers,DC=tls,DC=msk,DC=ru' so it can't be added to 
> 'CN=SVFSP,CN=Computers,DC=tls,DC=msk,DC=ru'
> samldb_spn_uniqueness_check: SPN CIFS/FS failed direct uniqueness check
> ERROR(ldb): Failed to modify computer 'svfsp':  - samldb: spn[CIFS/FS] 
> would cause a conflict
>
Depending on your situation you could create a service account (i.e. a 
user account), put the SPN on it and then export the keytab to multiple 
machines as a separate keytab i.e. not /etc/krb5.keytab but something 
like /etc/keytab/<service_account>.keytab. And reconfigure your client 
to use that keytab instead of the system keytab.


>>> BTW, can there be several FSes in the same domain?
>
> Here was the second part of my question.
>
> This is my second attempt to assign a short name for
> a server in a remote office.  After this suggestion:
>
> https://lists.samba.org/archive/samba/2022-November/242835.html
>
> Can it be made to work?
>
> Thanks,
>
> /mjt

More information about the samba mailing list