Hello! We observed that after setting up a samba AD, we can't connect to - at least - linux samba servers with kerberos auth using alternative names. We always had CNAMEs for role names in DNS, and those CNAMEs work right now too, after AD setup. In particular, there's a server named "tsrv" (with A record), and a CNAME "fs" pointing to it (stands for File Server). DNS resolution works, - either short name or long name (with .tls.msk.ru domain) can be used. But samba does not work: $ smbclient //tsrv/mjt -U mjt -k gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/fs failed (next[(null)]): NT_STATUS_INVALID_PARAMETER session setup failed: NT_STATUS_INVALID_PARAMETER $ smbclient //tsrv/mjt -U mjt -k Try "help" to get a list of possible commands. smb: \> $ smbclient //fs.tls.msk.ru/mjt -U mjt -k gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/fs.tls.msk.ru failed (next[(null)]): NT_STATUS_INVALID_PARAMETER session setup failed: NT_STATUS_INVALID_PARAMETER $ smbclient //tsrv.tls.msk.ru/mjt -U mjt -k Try "help" to get a list of possible commands. smb: \> both names resolves: $ dnsget fs fs.tls.msk.ru. CNAME tsrv.tls.msk.ru. tsrv.tls.msk.ru. A 192.168.177.2 What's wrong with using CNAMEs? Thanks, /mjt
Alias should works fine. There is a bugreport on spn's.. I dont have the time currently to look it up. But you might be hitting it. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Michael Tokarev via samba > Verzonden: vrijdag 18 februari 2022 12:26 > Aan: sambalist > Onderwerp: [Samba] using aliases for samba servers in an AD > > Hello! > > We observed that after setting up a samba AD, we can't connect to - > at least - linux samba servers with kerberos auth using alternative > names. > > We always had CNAMEs for role names in DNS, and those CNAMEs work > right now too, after AD setup. > > In particular, there's a server named "tsrv" (with A record), and > a CNAME "fs" pointing to it (stands for File Server). > > DNS resolution works, - either short name or long name (with > .tls.msk.ru domain) can be used. > > But samba does not work: > > $ smbclient //tsrv/mjt -U mjt -k > gensec_spnego_client_negTokenInit_step: gse_krb5: creating > NEG_TOKEN_INIT for cifs/fs failed (next[(null)]): > NT_STATUS_INVALID_PARAMETER > session setup failed: NT_STATUS_INVALID_PARAMETER > > $ smbclient //tsrv/mjt -U mjt -k > Try "help" to get a list of possible commands. > smb: \> > > $ smbclient //fs.tls.msk.ru/mjt -U mjt -k > gensec_spnego_client_negTokenInit_step: gse_krb5: creating > NEG_TOKEN_INIT for cifs/fs.tls.msk.ru failed (next[(null)]): > NT_STATUS_INVALID_PARAMETER > session setup failed: NT_STATUS_INVALID_PARAMETER > > $ smbclient //tsrv.tls.msk.ru/mjt -U mjt -k > Try "help" to get a list of possible commands. > smb: \> > > both names resolves: > > $ dnsget fs > fs.tls.msk.ru. CNAME tsrv.tls.msk.ru. > tsrv.tls.msk.ru. A 192.168.177.2 > > What's wrong with using CNAMEs? > > Thanks, > > /mjt > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi, last time I did this using just CNAMEs worked with Windows as a client. For us it just was smbclient that didn't work. However, adding cifs/tsrv as SPN for that computer should fix it (it did for us) Regards Christian Am 18.02.22 um 12:25 schrieb Michael Tokarev via samba:> Hello! > > We observed that after setting up a samba AD, we can't connect to - > at least - linux samba servers with kerberos auth using alternative > names. > > We always had CNAMEs for role names in DNS, and those CNAMEs work > right now too, after AD setup. > > In particular, there's a server named "tsrv" (with A record), and > a CNAME "fs" pointing to it (stands for File Server). > > DNS resolution works, - either short name or long name (with .tls.msk.ru > domain) can be used. > > But samba does not work: > > $ smbclient //tsrv/mjt -U mjt -k > gensec_spnego_client_negTokenInit_step: gse_krb5: creating > NEG_TOKEN_INIT for cifs/fs failed (next[(null)]): > NT_STATUS_INVALID_PARAMETER > session setup failed: NT_STATUS_INVALID_PARAMETER > > $ smbclient //tsrv/mjt -U mjt -k > Try "help" to get a list of possible commands. > smb: \> > > $ smbclient //fs.tls.msk.ru/mjt -U mjt -k > gensec_spnego_client_negTokenInit_step: gse_krb5: creating > NEG_TOKEN_INIT for cifs/fs.tls.msk.ru failed (next[(null)]): > NT_STATUS_INVALID_PARAMETER > session setup failed: NT_STATUS_INVALID_PARAMETER > > $ smbclient //tsrv.tls.msk.ru/mjt -U mjt -k > Try "help" to get a list of possible commands. > smb: \> > > both names resolves: > > $ dnsget fs > fs.tls.msk.ru. CNAME tsrv.tls.msk.ru. > tsrv.tls.msk.ru. A 192.168.177.2 > > What's wrong with using CNAMEs? > > Thanks, > > /mjt >-- Dr. Christian Naumer Vice President Unit Head Bioprocess Development BRAIN Biotech AG Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com phone +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Lukas Linnig Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen