Hi. We migrated a S4 workgroup to S4 AD DC, I'm trying to allow users to access the new \\fileserver with the old host name \\server. I added a CNAME record to the AD DNS zone, created alias for fileserver with samba-tool spn add ldap/SERVER fileserver$ samba-tool spn add HOST/SERVER fileserver$ I also added netbios aliases = server to smb.conf but this should be useless, as they're now all using Windows10 and 7. But I'm still unable to browse the server as \\server. Am I missing something? thanks -- Lorenzo Milesi - lorenzo.milesi at yetopen.it YetOpen S.r.l. - https://www.yetopen.it/ Via Salerno 18 - 23900 Lecco - ITALY - Tel +39 0341 220 205 - Fax +39 178 6070 222 Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Did you update the keytab on the fileserver after changing the SPNs on the computer object? If not, the fileserver won't have the correct SPNs in its keytab file so will fail at negotiating kerberos. NTLM should have still saved you however... On 08/05/2020 22:27, Lorenzo Milesi via samba wrote:> Hi. > We migrated a S4 workgroup to S4 AD DC, I'm trying to allow users to access the new \\fileserver with the old host name \\server. I added a CNAME record to the AD DNS zone, created alias for fileserver with > samba-tool spn add ldap/SERVER fileserver$ > samba-tool spn add HOST/SERVER fileserver$ > > I also added > netbios aliases = server > to smb.conf but this should be useless, as they're now all using Windows10 and 7. But I'm still unable to browse the server as \\server. > > Am I missing something? > thanks
By default, we should just be doing 'match by key' based on our secret (machine account password), so I hope that isn't it. The server logs may be enlightening. Andrew Bartlett On Fri, 2020-05-08 at 22:42 +0100, Alex MacCuish via samba wrote:> Did you update the keytab on the fileserver after changing the SPNs > on > the computer object? If not, the fileserver won't have the correct > SPNs > in its keytab file so will fail at negotiating kerberos. NTLM should > have still saved you however... > > On 08/05/2020 22:27, Lorenzo Milesi via samba wrote: > > Hi. > > We migrated a S4 workgroup to S4 AD DC, I'm trying to allow users > > to access the new \\fileserver with the old host name \\server. I > > added a CNAME record to the AD DNS zone, created alias for > > fileserver with > > samba-tool spn add ldap/SERVER fileserver$ > > samba-tool spn add HOST/SERVER fileserver$ > > > > I also added > > netbios aliases = server > > to smb.conf but this should be useless, as they're now all using > > Windows10 and 7. But I'm still unable to browse the server as > > \\server. > > > > Am I missing something? > > thanks > >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
I'm confused, the logs look like AD DC logs, but you say you were configuring the separate Samba file-server. Can you clarify? Andrew Bartlett On Sat, 2020-05-09 at 00:30 +0200, Lorenzo Milesi wrote:> Attaching logs during an attempt of browsing \\server from CM-WM-W7$ > > thanks > > ----- Original Message ----- > > From: "samba" <samba at lists.samba.org> > > To: "Alex MacCuish" <alex at maccuish.org.uk>, "samba" < > > samba at lists.samba.org> > > Sent: Saturday, May 9, 2020 12:03:58 AM > > Subject: Re: [Samba] Unable to access shares by server alias > > By default, we should just be doing 'match by key' based on our > > secret > > (machine account password), so I hope that isn't it. > > > > The server logs may be enlightening. > > > > Andrew Bartlett > > > > On Fri, 2020-05-08 at 22:42 +0100, Alex MacCuish via samba wrote: > > > Did you update the keytab on the fileserver after changing the > > > SPNs > > > on > > > the computer object? If not, the fileserver won't have the > > > correct > > > SPNs > > > in its keytab file so will fail at negotiating kerberos. NTLM > > > should > > > have still saved you however... > > > > > > On 08/05/2020 22:27, Lorenzo Milesi via samba wrote: > > > > Hi. > > > > We migrated a S4 workgroup to S4 AD DC, I'm trying to allow > > > > users > > > > to access the new \\fileserver with the old host name \\server. > > > > I > > > > added a CNAME record to the AD DNS zone, created alias for > > > > fileserver with > > > > samba-tool spn add ldap/SERVER fileserver$ > > > > samba-tool spn add HOST/SERVER fileserver$ > > > > > > > > I also added > > > > netbios aliases = server > > > > to smb.conf but this should be useless, as they're now all > > > > using > > > > Windows10 and 7. But I'm still unable to browse the server as > > > > \\server. > > > > > > > > Am I missing something? > > > > thanks > > > > > > > > > > -- > > Andrew Bartlett https://samba.org/~abartlet/ > > Authentication Developer, Samba Team https://samba.org > > Samba Developer, Catalyst IT > > https://catalyst.net.nz/services/samba > > > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
I'm configuring a single host with AD DC and file server ----- Original Message -----> From: "Andrew Bartlett" <abartlet at samba.org> > To: "Lorenzo Milesi" <lorenzo.milesi at yetopen.it> > Cc: "Alex MacCuish" <alex at maccuish.org.uk>, "samba" <samba at lists.samba.org> > Sent: Saturday, May 9, 2020 12:59:09 AM > Subject: Re: [Samba] Unable to access shares by server alias> I'm confused, the logs look like AD DC logs, but you say you were > configuring the separate Samba file-server. > > Can you clarify? > > Andrew Bartlett > > On Sat, 2020-05-09 at 00:30 +0200, Lorenzo Milesi wrote: >> Attaching logs during an attempt of browsing \\server from CM-WM-W7$ >> >> thanks >> >> ----- Original Message ----- >> > From: "samba" <samba at lists.samba.org> >> > To: "Alex MacCuish" <alex at maccuish.org.uk>, "samba" < >> > samba at lists.samba.org> >> > Sent: Saturday, May 9, 2020 12:03:58 AM >> > Subject: Re: [Samba] Unable to access shares by server alias >> > By default, we should just be doing 'match by key' based on our >> > secret >> > (machine account password), so I hope that isn't it. >> > >> > The server logs may be enlightening. >> > >> > Andrew Bartlett >> > >> > On Fri, 2020-05-08 at 22:42 +0100, Alex MacCuish via samba wrote: >> > > Did you update the keytab on the fileserver after changing the >> > > SPNs >> > > on >> > > the computer object? If not, the fileserver won't have the >> > > correct >> > > SPNs >> > > in its keytab file so will fail at negotiating kerberos. NTLM >> > > should >> > > have still saved you however... >> > > >> > > On 08/05/2020 22:27, Lorenzo Milesi via samba wrote: >> > > > Hi. >> > > > We migrated a S4 workgroup to S4 AD DC, I'm trying to allow >> > > > users >> > > > to access the new \\fileserver with the old host name \\server. >> > > > I >> > > > added a CNAME record to the AD DNS zone, created alias for >> > > > fileserver with >> > > > samba-tool spn add ldap/SERVER fileserver$ >> > > > samba-tool spn add HOST/SERVER fileserver$ >> > > > >> > > > I also added >> > > > netbios aliases = server >> > > > to smb.conf but this should be useless, as they're now all >> > > > using >> > > > Windows10 and 7. But I'm still unable to browse the server as >> > > > \\server. >> > > > >> > > > Am I missing something? >> > > > thanks >> > > >> > > >> > >> > -- >> > Andrew Bartlett https://samba.org/~abartlet/ >> > Authentication Developer, Samba Team https://samba.org >> > Samba Developer, Catalyst IT >> > https://catalyst.net.nz/services/samba >> > >> > >> > >> > >> > -- >> > To unsubscribe from this list go to the following URL and read the >> > instructions: https://lists.samba.org/mailman/options/samba >> >> > -- > Andrew Bartlett https://samba.org/~abartlet/ > Authentication Developer, Samba Team https://samba.org > Samba Developer, Catalyst IT > https://catalyst.net.nz/services/samba-- Lorenzo Milesi - lorenzo.milesi at yetopen.it YetOpen S.r.l. - https://www.yetopen.it/ Via Salerno 18 - 23900 Lecco - ITALY - Tel +39 0341 220 205 - Fax +39 178 6070 222 Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.
Mandi! Lorenzo Milesi via samba In chel di` si favelave...> We migrated a S4 workgroup to S4 AD DC, I'm trying to allow users to access the new \\fileserver with the old host name \\server. I added a CNAME record to the AD DNS zoneI do that. And works. Sure 'server' is not a 'too generic' name that can be resolved elsewere? -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Hai, Verify dig -x $(hostname -i) Then dig A $(hostname -f) As long as these match any CNAME should work. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: maandag 11 mei 2020 9:21 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Unable to access shares by server alias > > Mandi! Lorenzo Milesi via samba > In chel di` si favelave... > > > We migrated a S4 workgroup to S4 AD DC, I'm trying to allow > users to access the new \\fileserver with the old host name > \\server. I added a CNAME record to the AD DNS zone > > I do that. And works. > > Sure 'server' is not a 'too generic' name that can be resolved > elsewere? > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bont?, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Mandi a te! Does it work just with the CNAME? My config actually worked in the end, but I think after I added the spn entries. I was testing on a machine which didn't reflect the change, but probably because of caching (ifconfig /flushdns didn't help) ----- Original Message -----> From: "samba" <samba at lists.samba.org> > To: "samba" <samba at lists.samba.org> > Sent: Monday, May 11, 2020 9:20:43 AM > Subject: Re: [Samba] Unable to access shares by server alias> Mandi! Lorenzo Milesi via samba > In chel di` si favelave... > >> We migrated a S4 workgroup to S4 AD DC, I'm trying to allow users to access the >> new \\fileserver with the old host name \\server. I added a CNAME record to the >> AD DNS zone > > I do that. And works. > > Sure 'server' is not a 'too generic' name that can be resolved > elsewere? > > -- > dott. Marco Gaiarin GNUPG Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- Lorenzo Milesi - lorenzo.milesi at yetopen.it YetOpen S.r.l. - https://www.yetopen.it/ Via Salerno 18 - 23900 Lecco - ITALY - Tel +39 0341 220 205 - Fax +39 178 6070 222 Think green - Non stampare questa e-mail se non necessario / Don't print this email unless necessary -------- D.Lgs. 196/2003 e GDPR 679/2016 -------- Tutte le informazioni contenute in questo messaggio sono riservate ed a uso esclusivo del destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 - GDPR - e quindi ne e' proibita l'utilizzazione ulteriore non autorizzata. Nel caso in cui questo messaggio Le fosse pervenuto per errore, La invitiamo ad eliminarlo senza copiarlo, stamparlo, a non inoltrarlo a terzi e ad avvertirci non appena possibile. Grazie. Confidentiality notice: this email message including any attachment is for the sole use of the intended recipient and may contain confidential and privileged information; pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 - GDPR - any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recepient please delete this message without copying, printing or forwarding it to others, and alert us as soon as possible. Thank you.