samba - Nov 2022 - adding server aliases after joining to a domain

Op 22-11-2022 om 11:13 schreef Michael Tokarev via
samba:
> Hi!
>
> I've added a second name for a server, after it has been successfully 
> joined to the
> domain.? But how to configure it so it knows its own secondary name(s) 
> and request
> kerberos ticket for it?
>
> [2022/11/22 13:07:53.558416,? 1] 
> ../../source3/librpc/crypto/gse.c:695(gse_get_server_auth_token)
> ? gss_accept_sec_context failed with [ Miscellaneous failure (see 
> text): Failed to find cifs/FS at TLS.MSK.RU(kvno 2) in keytab 
> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)]
>
> This is server named SVFSP, with an alias FS (File Server).
Not sure what you mean exactly but I assume you want to add an SPN to a 
computer or user object?

samba-tool spn add <principal> <acoount>

And export the keytab for the account on the client machine
>
> I remember this can be done at the time of join when smb.conf
> has netbios aliases = FS line.? But how to add it after the
> join?
>
> BTW, can there be several FSes in the same domain?
>
> Thanks,
>
> /mjt
>

22.11.2022 13:20, Kees van Vloten via samba wrote:
> 
> Op 22-11-2022 om 11:13 schreef Michael Tokarev via samba:
>> Hi!
>>
>> I've added a second name for a server, after it has been
successfully joined to the
>> domain.? But how to configure it so it knows its own secondary name(s)
and request
>> kerberos ticket for it?
>>
>> [2022/11/22 13:07:53.558416,? 1]
../../source3/librpc/crypto/gse.c:695(gse_get_server_auth_token)
>> ? gss_accept_sec_context failed with [ Miscellaneous failure (see
text): Failed to find cifs/FS at TLS.MSK.RU(kvno 2) in keytab
MEMORY:cifs_srv_keytab
>> (arcfour-hmac-md5)]
>>
>> This is server named SVFSP, with an alias FS (File Server).
> 
> Not sure what you mean exactly but I assume you want to add an SPN to a
computer or user object?
It looks like, yes.
> samba-tool spn add <principal> <acoount>
Aha.

This can also be modified by editing the computer account, adding
servicePrincipalName attribute.

But now I've an interesting issue.  It looks like there can't be
more than one server with the same SPN.

check_spn_direct_collision: SPN 'CIFS/FS' is on
'CN=TSRV,CN=Computers,DC=tls,DC=msk,DC=ru' so it can't be added to
'CN=SVFSP,CN=Computers,DC=tls,DC=msk,DC=ru'
samldb_spn_uniqueness_check: SPN CIFS/FS failed direct uniqueness check
ERROR(ldb): Failed to modify computer 'svfsp':  - samldb: spn[CIFS/FS]
would cause a conflict
>> BTW, can there be several FSes in the same domain?
Here was the second part of my question.

This is my second attempt to assign a short name for
a server in a remote office.  After this suggestion:

https://lists.samba.org/archive/samba/2022-November/242835.html

Can it be made to work?

Thanks,

/mjt

On 22/11/2022 10:20, Kees van Vloten via samba wrote:
> 
> Not sure what you mean exactly but I assume you want to add an SPN to a 
> computer or user object?
> 
> samba-tool spn add <principal> <acoount>
> 
> And export the keytab for the account on the client machine
Not required, use a CNAME.
An SPN is required in the computers object that the CNAME points to and 
that is what will be used.

Rowland