Rowland Penny
2022-Nov-22 11:05 UTC
[Samba] adding server aliases after joining to a domain
On 22/11/2022 10:13, Michael Tokarev via samba wrote:> Hi! > > I've added a second name for a server, after it has been successfully > joined to the > domain.? But how to configure it so it knows its own secondary name(s) > and request > kerberos ticket for it? > > [2022/11/22 13:07:53.558416,? 1] > ../../source3/librpc/crypto/gse.c:695(gse_get_server_auth_token) > ? gss_accept_sec_context failed with [ Miscellaneous failure (see > text): Failed to find cifs/FS at TLS.MSK.RU(kvno 2) in keytab > MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] > > This is server named SVFSP, with an alias FS (File Server). > > I remember this can be done at the time of join when smb.conf > has netbios aliases = FS line.? But how to add it after the > join? > > BTW, can there be several FSes in the same domain? > > Thanks, > > /mjt >Using 'netbios aliases' went out with NT4-style domains, you now need to use a CNAME. You can add one with samba-tool: samba-tool dns add <server> <zone> <name> CNAME fqdn_string -U Administrator Where: <server> is the DC to carry out the modification on. <zone> is the AD dns domain <name> is the Alias (what you are are calling the 'netbios alias') fqdn_string is the fully qualified name that you want the CNAME to point to. Rowland
Michael Tokarev
2022-Nov-22 11:15 UTC
[Samba] adding server aliases after joining to a domain
22.11.2022 14:05, Rowland Penny via samba wrote:> > > On 22/11/2022 10:13, Michael Tokarev via samba wrote: >> Hi! >> >> I've added a second name for a server, after it has been successfully joined to the >> domain.? But how to configure it so it knows its own secondary name(s) and request >> kerberos ticket for it? >> >> [2022/11/22 13:07:53.558416,? 1] ../../source3/librpc/crypto/gse.c:695(gse_get_server_auth_token) >> ?? gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/FS at TLS.MSK.RU(kvno 2) in keytab MEMORY:cifs_srv_keytab >> (arcfour-hmac-md5)] >> >> This is server named SVFSP, with an alias FS (File Server). >> >> I remember this can be done at the time of join when smb.conf >> has netbios aliases = FS line.? But how to add it after the >> join? >> >> BTW, can there be several FSes in the same domain? >> >> Thanks, > > Using 'netbios aliases' went out with NT4-style domains, you now need to use a CNAME.It works just fine when joining the domain -- samba-tool adds all the names listed in netbios aliases as SPNs and CNAMEs automatically.> You can add one with samba-tool: > > samba-tool dns add <server> <zone> <name> CNAME fqdn_string -U AdministratorHello Rowland! I'm not asking how to add a CNAME - that part is working just fine. It is not a problem for a client to find the server under alternative name. What I'm asking is how to add - as it turned out - a second SPN, so that the server knows the other its names. It is not sufficient to give alternative way for a client for finding the server. It is also necessary for the server to know its other names, so it knows to reply to the alternative names too. See the log entry I provided above - *this* is what I'm asking about. And especially how to deal with DUPLICATE service names, -- it seems like this is not possible. Thanks, /mjt