Mann, Roy (RGMR)
2006-Jul-10 18:50 UTC
[Samba] I want to use CNAMES for my SAMBA server, how?
I have a RedHat Enterprise 3 server running SAMBA 3.0.10. The server has been joined to the Active Directory forest using its fully qualified domain name. Windows clients can successfully map drives using that fully qualified name, However, services have a tendency to be moved or need failover during maintenance so I would prefer to tell customers to use a service alias like smbserver3.rest.ofthe.domain.com. When clients use that alias, I can see attempts at kerberos authentication in the logs on the SAMBA server using the canonical FQDN so Windows is getting the right address, talking to the right smbd, but authentication fails. Jul 10 09:43:25 shortname smbd[27284]: krb5_rd_req(CIFS/fully.qualified/domain.name@KERBEROS REALM) failed: Wrong principal in request Many of these same messages appear when the client uses the canonical name (used when joining Active Directory) and authentication works in that case. So these messages many be a red herring. What do I need to do for PC clients to be able to use the service alias ? What changes would then be required to move the service? ( I can probably discern this depending on the answer above.) If there is more than one way to achieve this, I'd like the one with the least AD changes when the service is moved. I have control over UNIX machines but not over Active Directory. Thanks in advance. Roy Mann
Gerald (Jerry) Carter
2006-Jul-10 20:01 UTC
[Samba] I want to use CNAMES for my SAMBA server, how?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mann, Roy (RGMR) wrote:> I have a RedHat Enterprise 3 server running SAMBA 3.0.10. The server > has been joined to the Active Directory forest using its fully qualified > domain name. > Windows clients can successfully map drives using that fully qualified > name, However, services have a tendency to be moved or need failover > during maintenance > so I would prefer to tell customers to use a service alias like > smbserver3.rest.ofthe.domain.com. When clients use that alias, I can > see attempts at kerberos > authentication in the logs on the SAMBA server using the canonical FQDN > so Windows is getting the right address, talking to the right smbd, but > authentication fails.If you are using CNAMES, add the appropriate servicePrincipalName to the machine's object in AD. Something like adsiedit works well. cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFEsrHzIR7qMdg1EfYRAl4NAKDxB/r8GerHgzpW9G/APn0OAv2kFgCbBimt IFUv3coZwRA8eL0NVKSRRxE=a3I8 -----END PGP SIGNATURE-----