[Samba] How does AD/SMB clients authenticate servers?
klou at themusiclink.net
Mon Nov 28 20:01:39 UTC 2022
> (and it seems my setup with the same name to mean different things
> depending on the location based on overriding CNAMEs does not work
> for this reason: validity of such server can't be verified, and the
> clients can - in theory - be tricked to access wrong, malicious server
> instead of the right one, unless I'll do it some other way).
My (very incomplete) understanding is CNAMES work, as they then use
referred SPN instead of the CNAME.
So, your problem might be that FS/CIFS at DOMAIN.tld is already an existing
principal in AD, instead of global CNAME that only exists in DNS?
More information about the samba