> > (and it seems my setup with the same name to mean different things > depending on the location based on overriding CNAMEs does not work > for this reason: validity of such server can't be verified, and the > clients can - in theory - be tricked to access wrong, malicious server > instead of the right one, unless I'll do it some other way).My (very incomplete) understanding is CNAMES work, as they then use referred SPN instead of the CNAME. So, your problem might be that FS/CIFS at DOMAIN.tld is already an existing principal in AD, instead of global CNAME that only exists in DNS? -Kris
Andrew Bartlett
2022-Nov-28 23:12 UTC
[Samba] How does AD/SMB clients authenticate servers?
On Mon, 2022-11-28 at 12:01 -0800, Kris Lou via samba wrote:> > (and it seems my setup with the same name to mean different > > thingsdepending on the location based on overriding CNAMEs does not > > workfor this reason: validity of such server can't be verified, and > > theclients can - in theory - be tricked to access wrong, malicious > > serverinstead of the right one, unless I'll do it some other way). > > My (very incomplete) understanding is CNAMES work, as they then > usereferred SPN instead of the CNAME.So, your problem might be that > FS/CIFS at DOMAIN.tld is already an existingprincipal in AD, instead of > global CNAME that only exists in DNS? > -KrisI wanted to write more (and may get a chance to later) but this is it. Just like certificates in a browser, the name in the URL bar, must match the certificate exactly, and one certificate can have many names. So no matter what (untrusted) DNS does under the hood, the name in the UNC path is the name that the SPN must be for. That it works without a SPN-registered name is down to NTLM fallback, which has much weaker protection, and all servers can impersonate each other (to an extent). Andrew, -- Andrew Bartlett (he/him) https://samba.org/~abartlet/Samba Team Member (since 2001) https://samba.orgSamba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open SourceSolutions