Andrew Bartlett
2017-Dec-06 17:59 UTC
[Samba] [Curiosity] 'netbios aliases' works in AD mode?
On Wed, 2017-12-06 at 11:19 +0100, Marco Gaiarin via samba wrote:> Mandi! Andrew Bartlett via samba > In chel di` si favelave... > > > > We haved used it on a domain member server, yes. > > > Only one thing: when you have a compteraccount memberserver$ in your AD, > > > you cannot use "memberserver" as an alias on another machine) > > > > And you should register any such alias as a servicePrincpalName. > > Ahem, looking at the wiki ad google does not help me. > > > Supposing to have a DM like 'vdmsv1.ad.fvg.lnf.it', and i need to > create an alias 'file', i need to add 'file' to 'netbios aliases' and > also do something like: > > samba-tool spn add host/vdmsv1.ad.fvg.lnf.it file.ad.fvg.lnf.it > > > This lead me to another question: in this way, aliases are ''domain > wide'' right? Eg, i cannot have a DM aliased 'file' in a LAN and > another DM aliased 'file' in another LAN, as was used before with NT > like domains (two different domains).Correct, you can't use the different netbios namespaces to do that. Not that real NT4 allowed different netbios namespaces either, but all sorts of games were possible (I've done that myself back in the day with Samba). You can't even use DNS search paths on the clients and then fully qualfied aliases as the client will ask for a ticket for exactly the name stated, not the FQDN as this avoids in-secure DNS being an attack point. I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Marco Gaiarin
2017-Dec-07 09:48 UTC
[Samba] [Curiosity] 'netbios aliases' works in AD mode?
Mandi! Andrew Bartlett via samba In chel di` si favelave...> > This lead me to another question: in this way, aliases are ''domain > > wide'' right? Eg, i cannot have a DM aliased 'file' in a LAN and > > another DM aliased 'file' in another LAN, as was used before with NT > > like domains (two different domains).> Correct, you can't use the different netbios namespaces to do that. > Not that real NT4 allowed different netbios namespaces either, but all > sorts of games were possible (I've done that myself back in the day > with Samba).Good to know. Thanks.> You can't even use DNS search paths on the clients and then fully > qualfied aliases as the client will ask for a ticket for exactly the > name stated, not the FQDN as this avoids in-secure DNS being an attack > point.Mmmhhh... i try to do an example. Supposing we have 'vdmsv1.ad.fvg.lnf.it' aliased with 'file.sv.lnf.it' in LAN 1, and 'vdmpp1.ad.fvg.lnf.it' aliased with 'file.pp.lnf.it' in LAN 2. If client in LAN 1 have 'sv.lnf.it' in search path, and in LAN 2 'pp.lnf.it', i cannot alias 'file' on both because the ticket get asked for 'vdmsv1.ad.fvg.lnf.it' and 'vdmpp1.ad.fvg.lnf.it'. Right?> I hope this clarifies things,Sure, but... really i don't found many examples about 'spn add' and so i'm still on doubt. This is right?> > Supposing to have a DM like 'vdmsv1.ad.fvg.lnf.it', and i need to > > create an alias 'file', i need to add 'file' to 'netbios aliases' and > > also do something like: > > > > samba-tool spn add host/vdmsv1.ad.fvg.lnf.it file.ad.fvg.lnf.itThanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Andrew Bartlett
2017-Dec-07 10:31 UTC
[Samba] [Curiosity] 'netbios aliases' works in AD mode?
On Thu, 2017-12-07 at 10:48 +0100, Marco Gaiarin via samba wrote:> Mandi! Andrew Bartlett via samba > In chel di` si favelave... > > > > This lead me to another question: in this way, aliases are ''domain > > > wide'' right? Eg, i cannot have a DM aliased 'file' in a LAN and > > > another DM aliased 'file' in another LAN, as was used before with NT > > > like domains (two different domains). > > Correct, you can't use the different netbios namespaces to do that. > > Not that real NT4 allowed different netbios namespaces either, but all > > sorts of games were possible (I've done that myself back in the day > > with Samba). > > Good to know. Thanks. > > > > You can't even use DNS search paths on the clients and then fully > > qualfied aliases as the client will ask for a ticket for exactly the > > name stated, not the FQDN as this avoids in-secure DNS being an attack > > point. > > Mmmhhh... i try to do an example. > > Supposing we have 'vdmsv1.ad.fvg.lnf.it' aliased with 'file.sv.lnf.it' > in LAN 1, and 'vdmpp1.ad.fvg.lnf.it' aliased with 'file.pp.lnf.it' in > LAN 2. > > If client in LAN 1 have 'sv.lnf.it' in search path, and in LAN 2 > 'pp.lnf.it', i cannot alias 'file' on both because the ticket get asked > for 'vdmsv1.ad.fvg.lnf.it' and 'vdmpp1.ad.fvg.lnf.it'. Right?No, it will ask for 'file'. If the servicePrincipalName is not unique, the lookup will fail. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba