[Samba] The link (or more particularity the lack of a link) between AD SPNs and DNS
Andrew Bartlett
abartlet at samba.org
Tue Jan 31 18:59:43 UTC 2023
On Tue, 2023-01-31 at 10:13 +0300, Michael Tokarev via samba wrote:
> 31.01.2023 08:55, Matt Savin via samba пишет:
> > In group policies use DNS aliases, then you'll need to change only
> > DNS
> > entries for these aliases to point to a new host(s).
>
> I'd say don't use simple dns aliases (cnames) in a DC, but use SPNs
> instead
> (see samba-tool spn). This will manage CNAMEs too, and also manages
> the KRB
> tickets and proper autentication of the server to the client.
> (After changing SPNs for a host, one needs to re-generate keytab).
>
> /mjt
To be clear, you need both the CNAME or alternate A records AND the
SPN, DNS is not managed by samba-tool spn.
The client doesn't resolve what the CNAME or A points to to find a
canonical name as DNS is untrusted in AD, but by the same token the
choice of naming technology (NetBIOS broadcase, local hosts file, DNS
A, AAAA or CNAME) doesn't impact on the use of SPNs.
So essentially, both DNS and SPNs need to be set up, and to match.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst.Net Limited
Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source
Solutions
More information about the samba
mailing list