[Samba] Cannot access PDC shares via alias name
Antonio Trogu
a.trogu at gruppoconcorde.it
Thu Jul 6 15:16:52 UTC 2023
Hello,
I needed to replace an old Samba AD PDC with a new one, so I've installed
the new one (Ubuntu 20.04 + Samba 4.15.13 from Ubuntu repository), joined
it to the AD domain, demoted the primary, then removed it. All steps have
been done following the Samba official howtos:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
and
https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC
and every one after having tested the previous one's success.
Afterwards, to avoid needing to change all DNS and printers settings on
the clients, I've added the old PDC's IP and name to the new PDC. Samba's
DNS is now correctly answering on both IPs, while share access from
Windows clients always fails for wrong credentials. From a linux client
with smbclient instead the shares are accessible.
When a Windows client tries to connect to a share with the old PDC name,
eg. \\dc1.samdom.example.com\netlogon, these errors appears in its Samba
log (sanitized: DC1 is the old server's name, DC2 the new one's):
[2023/06/22 15:53:44.777523, 1]
../../source4/auth/gensec/gensec_gssapi.c:791(gensec_gssapi_update_internal)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Failed to find DC2$@SAMDOM.EXAMPLE.COM(kvno 1) in keytab
FILE:/var/lib/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)
[2023/06/22 15:53:44.777912, 1]
../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step)
gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing
NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
[2023/06/22 15:53:44.873716, 1]
../../source4/auth/gensec/gensec_gssapi.c:791(gensec_gssapi_update_internal)
GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see
text): Failed to find DC2$@SAMDOM.EXAMPLE.COM(kvno 1) in keytab
FILE:/var/lib/samba/private/secrets.keytab (aes256-cts-hmac-sha1-96)
[2023/06/22 15:53:44.873815, 1]
../../auth/gensec/spnego.c:1242(gensec_spnego_server_negTokenInit_step)
gensec_spnego_server_negTokenInit_step: gssapi_krb5: parsing
NEG_TOKEN_INIT content failed (next[(null)]): NT_STATUS_LOGON_FAILURE
I've read on this thread:
https://lists.samba.org/archive/samba/2017-December/212597.html
that i have to add both a cname with the old name to the DNS and a
servicePrincipalName, but still no go. Maybe I've not added it correctly
the SPN. What is the right way to do this? Or what else can I do to fix
the issue?
Thanks,
Antonio Trogu
More information about the samba
mailing list