samba - Oct 2020 - [Fwd: Joining AD - wrong DNS name, wrong keytab]

Maybe I wrote it misleading, its just a DNS name, not whole active
directory subdomain.

Jan
> If it is a bug, it is a bug that has been fixed. I am actually
> surprised 
> that you could join a computer with the wrong dns domain.
> 
> Samba does not do subdomains (yet)
> 
> Rowland

On 13/10/2020 09:10, Jan Zh??al via samba wrote:
> Maybe I wrote it misleading, its just a DNS name, not whole active
> directory subdomain.
>
> Jan
>
OK, lets us suppose that your AD uses the 'example.com' dns domain, this
means your Kerberos realm will be 'EXAMPLE.COM'. You then want to join a
computer in the 'base.example.com' dns domain, why ? and why do think it
should work ?

The computer you are joining to a Samba AD domain should be in the AD 
dns domain, whilst it may join with an incorrect dns domain, any UPN and 
SPN's created will use the correct REALM for the AD domain.

Rowland

Thank you for input!

UPN is set OK - client.base.example.com (as it is specified in join
command). 

SPN is not. And it is as well confusing - I can provide UPN, but cannot
say what will be in SPN.

But if this is working as designed, I cease any questions. 

The DNS setup is done to easily distinguish between servers and cliens
mainly as well as other services. 

J.


On Tue, 2020-10-13 at 09:32 +0100, Rowland penny via samba
wrote:
> On 13/10/2020 09:10, Jan Zh??al via samba wrote:
> > Maybe I wrote it misleading, its just a DNS name, not whole active
> > directory subdomain.
> > 
> > Jan
> > 
> OK, lets us suppose that your AD uses the 'example.com' dns domain,
> this 
> means your Kerberos realm will be 'EXAMPLE.COM'. You then want to
> join a 
> computer in the 'base.example.com' dns domain, why ? and why do
think
> it 
> should work ?
> 
> The computer you are joining to a Samba AD domain should be in the
> AD 
> dns domain, whilst it may join with an incorrect dns domain, any UPN
> and 
> SPN's created will use the correct REALM for the AD domain.
> 
> Rowland
> 
> 
>