Martin Bruset Solberg
2017-Nov-23 12:07 UTC
[Samba] Joining samba 3.6 to AD with SPN target name validation hardening
Hi I'm trying to join a samba 3.6.23 client (RHEL 6.8) to a Windows Server 2012 R2 AD domain. The DC has been hardened with the GPO setting "Microsoft network server: Server SPN target name validation level" set to "Required from client". Attempting to join fails with "Failed to join domain: failed to lookup DC info for domain 'MY.DOMAIN.COM' over rpc: Access denied" on the client side. On the server side, the fail message is an Audit Failure: "Spn check for SMB/SMB2 fails." (Event 5168). Trying to join to the domain with samba client version 4.6.2 (RHEL 7.4) is successful. Setting the GPO setting to "Off", results in a successful join for RHEL 6.8. The smb.conf and krb5.conf is the same on the two different clients. Somehow the SPN is provided differently on the two samba versions, as the check fails on 3.6.23, but not on 4.6.2. Can I correct this behavior on 3.6 somehow? Is the answer in the krb5.conf? Martin Bruset Solberg
Rowland Penny
2017-Nov-23 12:23 UTC
[Samba] Joining samba 3.6 to AD with SPN target name validation hardening
On Thu, 23 Nov 2017 13:07:20 +0100 Martin Bruset Solberg via samba <samba at lists.samba.org> wrote:> Hi > > I'm trying to join a samba 3.6.23 client (RHEL 6.8) to a Windows > Server 2012 R2 AD domain. The DC has been hardened with the GPO > setting "Microsoft network server: Server SPN target name validation > level" set to "Required from client". > > Attempting to join fails with "Failed to join domain: failed to > lookup DC info for domain 'MY.DOMAIN.COM' over rpc: Access denied" on > the client side. On the server side, the fail message is an Audit > Failure: "Spn check for SMB/SMB2 fails." (Event 5168). > > Trying to join to the domain with samba client version 4.6.2 (RHEL > 7.4) is successful. > > Setting the GPO setting to "Off", results in a successful join for > RHEL 6.8. > > The smb.conf and krb5.conf is the same on the two different clients. > Somehow the SPN is provided differently on the two samba versions, as > the check fails on 3.6.23, but not on 4.6.2. Can I correct this > behavior on 3.6 somehow? Is the answer in the krb5.conf? > > > Martin Bruset SolbergIf both machines are using the same krb5.conf, then this isn't likely to be the problem. If you insist on running 3.6.23, then you will probably need to contact Red-hat support, 3.6 has been EOL for quite sometime now as far as Samba is concerned and your problem isn't likely to be fixed by Samba. There have been very many changes in Samba since 3.6.23, so I suppose the easiest fix would be to upgrade your Samba on the RHEL 6.8 machine. Rowland