[Samba] adding server aliases after joining to a domain

[Michael Tokarev]

22.11.2022 14:05, Rowland Penny via samba wrote:
> 
> 
> On 22/11/2022 10:13, Michael Tokarev via samba wrote:
>> Hi!
>>
>> I've added a second name for a server, after it has been successfully joined to the
>> domain.  But how to configure it so it knows its own secondary name(s) and request
>> kerberos ticket for it?
>>
>> [2022/11/22 13:07:53.558416,  1] ../../source3/librpc/crypto/gse.c:695(gse_get_server_auth_token)
>>    gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/FS at TLS.MSK.RU(kvno 2) in keytab MEMORY:cifs_srv_keytab 
>> (arcfour-hmac-md5)]
>>
>> This is server named SVFSP, with an alias FS (File Server).
>>
>> I remember this can be done at the time of join when smb.conf
>> has netbios aliases = FS line.  But how to add it after the
>> join?
>>
>> BTW, can there be several FSes in the same domain?
>>
>> Thanks,
> 
> Using 'netbios aliases' went out with NT4-style domains, you now need to use a CNAME.

It works just fine when joining the domain -- samba-tool adds all the names listed in
netbios aliases as SPNs and CNAMEs automatically.

> You can add one with samba-tool:
> 
> samba-tool dns add <server> <zone> <name> CNAME fqdn_string -U Administrator

Hello Rowland!

I'm not asking how to add a CNAME - that part is working just fine.

It is not a problem for a client to find the server under alternative
name.

What I'm asking is how to add - as it turned out - a second SPN, so
that the server knows the other its names.

It is not sufficient to give alternative way for a client for finding
the server.  It is also necessary for the server to know its other
names, so it knows to reply to the alternative names too. See the
log entry I provided above - *this* is what I'm asking about.

And especially how to deal with DUPLICATE service names, -- it seems
like this is not possible.

Thanks,

/mjt