Michael Tokarev
2022-Nov-22 11:15 UTC
[Samba] adding server aliases after joining to a domain
22.11.2022 14:05, Rowland Penny via samba wrote:> > > On 22/11/2022 10:13, Michael Tokarev via samba wrote: >> Hi! >> >> I've added a second name for a server, after it has been successfully joined to the >> domain.? But how to configure it so it knows its own secondary name(s) and request >> kerberos ticket for it? >> >> [2022/11/22 13:07:53.558416,? 1] ../../source3/librpc/crypto/gse.c:695(gse_get_server_auth_token) >> ?? gss_accept_sec_context failed with [ Miscellaneous failure (see text): Failed to find cifs/FS at TLS.MSK.RU(kvno 2) in keytab MEMORY:cifs_srv_keytab >> (arcfour-hmac-md5)] >> >> This is server named SVFSP, with an alias FS (File Server). >> >> I remember this can be done at the time of join when smb.conf >> has netbios aliases = FS line.? But how to add it after the >> join? >> >> BTW, can there be several FSes in the same domain? >> >> Thanks, > > Using 'netbios aliases' went out with NT4-style domains, you now need to use a CNAME.It works just fine when joining the domain -- samba-tool adds all the names listed in netbios aliases as SPNs and CNAMEs automatically.> You can add one with samba-tool: > > samba-tool dns add <server> <zone> <name> CNAME fqdn_string -U AdministratorHello Rowland! I'm not asking how to add a CNAME - that part is working just fine. It is not a problem for a client to find the server under alternative name. What I'm asking is how to add - as it turned out - a second SPN, so that the server knows the other its names. It is not sufficient to give alternative way for a client for finding the server. It is also necessary for the server to know its other names, so it knows to reply to the alternative names too. See the log entry I provided above - *this* is what I'm asking about. And especially how to deal with DUPLICATE service names, -- it seems like this is not possible. Thanks, /mjt
Rowland Penny
2022-Nov-22 11:32 UTC
[Samba] adding server aliases after joining to a domain
On 22/11/2022 11:15, Michael Tokarev via samba wrote:> 22.11.2022 14:05, Rowland Penny via samba wrote: >> >> >> On 22/11/2022 10:13, Michael Tokarev via samba wrote: >>> Hi! >>> >>> I've added a second name for a server, after it has been successfully >>> joined to the >>> domain.? But how to configure it so it knows its own secondary >>> name(s) and request >>> kerberos ticket for it? >>> >>> [2022/11/22 13:07:53.558416,? 1] >>> ../../source3/librpc/crypto/gse.c:695(gse_get_server_auth_token) >>> ?? gss_accept_sec_context failed with [ Miscellaneous failure (see >>> text): Failed to find cifs/FS at TLS.MSK.RU(kvno 2) in keytab >>> MEMORY:cifs_srv_keytab (arcfour-hmac-md5)] >>> >>> This is server named SVFSP, with an alias FS (File Server). >>> >>> I remember this can be done at the time of join when smb.conf >>> has netbios aliases = FS line.? But how to add it after the >>> join? >>> >>> BTW, can there be several FSes in the same domain? >>> >>> Thanks, >> >> Using 'netbios aliases' went out with NT4-style domains, you now need >> to use a CNAME. > > It works just fine when joining the domain -- samba-tool adds all the > names listed in > netbios aliases as SPNs and CNAMEs automatically. > >> You can add one with samba-tool: >> >> samba-tool dns add <server> <zone> <name> CNAME fqdn_string -U >> Administrator > > Hello Rowland! > > I'm not asking how to add a CNAME - that part is working just fine. > > It is not a problem for a client to find the server under alternative > name. > > What I'm asking is how to add - as it turned out - a second SPN, so > that the server knows the other its names. > > It is not sufficient to give alternative way for a client for finding > the server.? It is also necessary for the server to know its other > names, so it knows to reply to the alternative names too. See the > log entry I provided above - *this* is what I'm asking about. > > And especially how to deal with DUPLICATE service names, -- it seems > like this is not possible. > > Thanks, > > /mjt >netbios aliases relied on SMBv1 and wins and do not work with AD, they have been replaced with dns CNAME's. You use CNAME's just like normal dns names, so you can add an SPN to a CNAME, but the SPN, like a lot of other things in AD, must be unique. Rowland