samba - Jul 2018 - Samba and CNAME

Hello,

we successfully migrated from a Samba 3.x NT Domain to a Samba AD Domain
using Samba 4.7.x.

However, there are still some issues and I hope for your help.

The biggest problem so far follows:

For historical reasons our Samba file servers carry a lot of aliases.
Now that they have become AD Members I did set a lot of CNAMEs in the AD
DNS (using the Windows DNS Tool). Most of the aliases do work, but not
the CNAMEs which carry the name of server which did previuosly exit.

E.g. we used to have a server named smb6. I rsync'd the content to a
new server named smb8, shut down the old server  and set a CNAME smb6
pointing to smb8.

Using Windows 7 no problem to access the server with \\smb6.

Using Windows 10 I can't access it. \\smb8 and other CNAMEs do work.

Then I deleted the smb6 computer account in AD.

Then I found out, that I might have to add a Kerberos SPN, which
I did using:

  samba-tool spn add HOST/smb6 smb8$

Still no luck accessing that server unter this specific CNAME unter
Windows 10.

Any suggestions?


Kind regards,

Henry

Hello,

On Sun, 22 Jul 2018 15:00:58 +0200
Henry Jensen via samba <samba at lists.samba.org> wrote:
> we successfully migrated from a Samba 3.x NT Domain to a Samba AD Domain
> using Samba 4.7.x.
> 
> However, there are still some issues and I hope for your help.
> 
> The biggest problem so far follows:
> 
> For historical reasons our Samba file servers carry a lot of aliases.
> Now that they have become AD Members I did set a lot of CNAMEs in the AD
> DNS (using the Windows DNS Tool). Most of the aliases do work, but not
> the CNAMEs which carry the name of server which did previuosly exit.
> 
> E.g. we used to have a server named smb6. I rsync'd the content to a
> new server named smb8, shut down the old server  and set a CNAME smb6
> pointing to smb8.
> 
> Using Windows 7 no problem to access the server with \\smb6.
> 
> Using Windows 10 I can't access it. \\smb8 and other CNAMEs do work.
> 
> Then I deleted the smb6 computer account in AD.
> 
> Then I found out, that I might have to add a Kerberos SPN, which
> I did using:
> 
>   samba-tool spn add HOST/smb6 smb8$
> 
> Still no luck accessing that server unter this specific CNAME unter
> Windows 10.
> 
> Any suggestions?

After two days it suddenly works. After adding the SPN I didn't change
anything. Of course I did execute "net cache flush" and friends after
setting  the SPN, but somehow it must have been cached elsewhere.

Kind regards, 

Henry

You can remember this. 

If you join a server, that make sure that that servers "hostname" gets
an A and PTR record.
The PTR is most important. Now if you creat a CNAME now, through PTR it knows
its "original" hostname
And kerberos works, this is how i do all my setups. 

As example. 

REALM : INTERNAL.EXAMPLE.COM
FQDN : test-dc1.internal.example.com
Hostname: test-dc1
SPN HOST/TEST-DC1
SPN HOST/test-dc1.internal.example.com

A 	test-dc1
PTR	192.168.1.1
ZONE 	internal.example.com

What works. 
ZONE internal.example.com
CNAME	ntp1 => test-dc1
CNAME ntp2 => test-dc2

CNAME PDC  => test-dc1  ! NOTE, NOT PDC from Primary Domain Controller in
NT4.0 domains, Just primary ( the one with FSMO )
CNAME BDC1  => test-dc2  ! NOTE, NOT BDC from BACKUP Domain Controller in
NT4.0 domains, Just an extra DC
CNAME BDC2  => test-dc2  ! NOTE, NOT BDC from BACKUP Domain Controller in
NT4.0 domains, Just an extra DC
CNAME BDC3  => test-dc2  ! NOTE, NOT BDC from BACKUP Domain Controller in
NT4.0 domains, Just an extra DC
Yes i know, a bit of a bad example, but this is very clear.

Other example. 
Zone example.com 
CNAME www.example.com => www.internal.example.com

ZONE internal.example.com
CNAME www.internal.example.com test-dc1.internal.example.com

And yes, you kerberos auth still works. 

And you dont need to add extra SPN's for aliases that is if you DNS setup is
correct.
Just remember, every server must have an A and PTR record, save you a lot of
problems.
And best is to point your CNAME to FQDN. 

I hope these example helps a bit. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Henry Jensen via samba
> Verzonden: dinsdag 24 juli 2018 10:37
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba and CNAME
> 
> Hello,
> 
> On Sun, 22 Jul 2018 15:00:58 +0200
> Henry Jensen via samba <samba at lists.samba.org> wrote:
> 
> > we successfully migrated from a Samba 3.x NT Domain to a 
> Samba AD Domain
> > using Samba 4.7.x.
> > 
> > However, there are still some issues and I hope for your help.
> > 
> > The biggest problem so far follows:
> > 
> > For historical reasons our Samba file servers carry a lot 
> of aliases.
> > Now that they have become AD Members I did set a lot of 
> CNAMEs in the AD
> > DNS (using the Windows DNS Tool). Most of the aliases do 
> work, but not
> > the CNAMEs which carry the name of server which did previuosly exit.
> > 
> > E.g. we used to have a server named smb6. I rsync'd the content to
a
> > new server named smb8, shut down the old server  and set a 
> CNAME smb6
> > pointing to smb8.
> > 
> > Using Windows 7 no problem to access the server with \\smb6.
> > 
> > Using Windows 10 I can't access it. \\smb8 and other CNAMEs do
work.
> > 
> > Then I deleted the smb6 computer account in AD.
> > 
> > Then I found out, that I might have to add a Kerberos SPN, which
> > I did using:
> > 
> >   samba-tool spn add HOST/smb6 smb8$
> > 
> > Still no luck accessing that server unter this specific CNAME unter
> > Windows 10.
> > 
> > Any suggestions?
> 
> 
> After two days it suddenly works. After adding the SPN I didn't change
> anything. Of course I did execute "net cache flush" and friends
after
> setting  the SPN, but somehow it must have been cached elsewhere.
> 
> Kind regards, 
> 
> Henry
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Tue, 2018-07-24 at 10:56 +0200, L.P.H. van Belle via samba
wrote:
> And you dont need to add extra SPN's for aliases that is if you DNS
setup is correct.
> Just remember, every server must have an A and PTR record, save you a lot
of problems.
> And best is to point your CNAME to FQDN. 
This only applies to some MIT clients.  Windows does not follow the
(untrustworthy, cryptographically) PTR record to find the real host
name, it relies on the extra SPNs being on the record.

That is why the SPNs were invented. 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

Am 24.07.2018 um 10:37 schrieb Henry Jensen via samba:
> After two days it suddenly works. After adding the SPN I didn't change
> anything. Of course I did execute "net cache flush" and friends
after
> setting  the SPN, but somehow it must have been cached elsewhere.
This reminds me of my issue a few weeks ago.

At first some DNS-entry seemed to have timed out or so, after re-adding 
the CNAME (and SPN) the problems only faded after a few days as well.

details: I have a "netbios alias" in smb.conf there to provide 2 names
for one server ... the former admin spreaded links with both names all 
over the place ... I saw a Word-document with more than 650 hyperlinks 
in it ... phew.

For now no more issues ...