[Samba] adding server aliases after joining to a domain

Kees van Vloten keesvanvloten at gmail.com
Tue Nov 22 13:08:16 UTC 2022 

Op 22-11-2022 om 12:32 schreef Rowland Penny via samba:
>
>
> On 22/11/2022 11:15, Michael Tokarev via samba wrote:
>> 22.11.2022 14:05, Rowland Penny via samba wrote:
>>>
>>>
>>> On 22/11/2022 10:13, Michael Tokarev via samba wrote:
>>>> Hi!
>>>>
>>>> I've added a second name for a server, after it has been 
>>>> successfully joined to the
>>>> domain.  But how to configure it so it knows its own secondary 
>>>> name(s) and request
>>>> kerberos ticket for it?
>>>>
>>>> [2022/11/22 13:07:53.558416,  1] 
>>>> ../../source3/librpc/crypto/gse.c:695(gse_get_server_auth_token)
>>>>    gss_accept_sec_context failed with [ Miscellaneous failure (see 
>>>> text): Failed to find cifs/FS at TLS.MSK.RU(kvno 2) in keytab 
>>>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>>>>
>>>> This is server named SVFSP, with an alias FS (File Server).
>>>>
>>>> I remember this can be done at the time of join when smb.conf
>>>> has netbios aliases = FS line.  But how to add it after the
>>>> join?
>>>>
>>>> BTW, can there be several FSes in the same domain?
>>>>
>>>> Thanks,
>>>
>>> Using 'netbios aliases' went out with NT4-style domains, you now 
>>> need to use a CNAME.
>>
>> It works just fine when joining the domain -- samba-tool adds all the 
>> names listed in
>> netbios aliases as SPNs and CNAMEs automatically.
>>
>>> You can add one with samba-tool:
>>>
>>> samba-tool dns add <server> <zone> <name> CNAME fqdn_string -U 
>>> Administrator
>>
>> Hello Rowland!
>>
>> I'm not asking how to add a CNAME - that part is working just fine.
>>
>> It is not a problem for a client to find the server under alternative
>> name.
>>
>> What I'm asking is how to add - as it turned out - a second SPN, so
>> that the server knows the other its names.
>>
>> It is not sufficient to give alternative way for a client for finding
>> the server.  It is also necessary for the server to know its other
>> names, so it knows to reply to the alternative names too. See the
>> log entry I provided above - *this* is what I'm asking about.
>>
>> And especially how to deal with DUPLICATE service names, -- it seems
>> like this is not possible.
>>
>> Thanks,
>>
>> /mjt
>>
>
> netbios aliases relied on SMBv1 and wins and do not work with AD, they 
> have been replaced with dns CNAME's.
>
> You use CNAME's just like normal dns names, so you can add an SPN to a 
> CNAME, but the SPN, like a lot of other things in AD, must be unique.
>
> Rowland
>
>
The SPN must be unique but at the same time the resulting exported 
keytab can be used on multiple machines, so that the service running 
there will recognize the service-name passed in a request.

I use this for certain apache vhost config, it works just fine.

- Kees

More information about the samba mailing list