[Samba] The link (or more particularity the lack of a link) between AD SPNs and DNS

Kees van Vloten keesvanvloten at gmail.com
Tue Jan 31 19:04:11 UTC 2023

On 31-01-2023 19:59, Andrew Bartlett via samba wrote:
> On Tue, 2023-01-31 at 10:13 +0300, Michael Tokarev via samba wrote:
>> 31.01.2023 08:55, Matt Savin via samba пишет:
>>> In group policies use DNS aliases, then you'll need to change only
>>> DNS
>>> entries for these aliases to point to a new host(s).
>> I'd say don't use simple dns aliases (cnames) in a DC, but use SPNs
>> instead
>> (see samba-tool spn). This will manage CNAMEs too, and also manages
>> the KRB
>> tickets and proper autentication of the server to the client.
>> (After changing SPNs for a host, one needs to re-generate keytab).
>> /mjt
> To be clear, you need both the CNAME or alternate A records AND the
> SPN, DNS is not managed by samba-tool spn.
> The client doesn't resolve what the CNAME or A points to to find a
> canonical name as DNS is untrusted in AD, but by the same token the
> choice of naming technology (NetBIOS broadcase, local hosts file, DNS
> A, AAAA or CNAME) doesn't impact on the use of SPNs.
> So essentially, both DNS and SPNs need to be set up, and to match.
> Andrew Bartlett
Exectly what I thought, thanks Andrew!

More information about the samba mailing list