31.01.2023 08:55, Matt Savin via samba ?????:> In group policies use DNS aliases, then you'll need to change only DNS > entries for these aliases to point to a new host(s).I'd say don't use simple dns aliases (cnames) in a DC, but use SPNs instead (see samba-tool spn). This will manage CNAMEs too, and also manages the KRB tickets and proper autentication of the server to the client. (After changing SPNs for a host, one needs to re-generate keytab). /mjt
On 1/31/23 02:13, Michael Tokarev via samba wrote:> 31.01.2023 08:55, Matt Savin via samba ?????: >> In group policies use DNS aliases, then you'll need to change only DNS >> entries for these aliases to point to a new host(s). > > I'd say don't use simple dns aliases (cnames) in a DC, but use SPNs > instead > (see samba-tool spn). This will manage CNAMEs too, and also manages > the KRB > tickets and proper autentication of the server to the client. > (After changing SPNs for a host, one needs to re-generate keytab). > > /mjt >Great suggestion! I'll have to investigate that. 1.01.2023 10:13, Michael Tokarev ?????:> I'd say don't use simple dns aliases (cnames) in a DC, but use SPNs > insteadIn an AD Domain I mean, not in a DC. /mjt This bit is confusing. The DNS runs on the DC, so what do you mean "not in a DC"? --Mark
Andrew Bartlett
2023-Jan-31 18:59 UTC
[Samba] The link (or more particularity the lack of a link) between AD SPNs and DNS
On Tue, 2023-01-31 at 10:13 +0300, Michael Tokarev via samba wrote:> 31.01.2023 08:55, Matt Savin via samba ?????: > > In group policies use DNS aliases, then you'll need to change only > > DNS > > entries for these aliases to point to a new host(s). > > I'd say don't use simple dns aliases (cnames) in a DC, but use SPNs > instead > (see samba-tool spn). This will manage CNAMEs too, and also manages > the KRB > tickets and proper autentication of the server to the client. > (After changing SPNs for a host, one needs to re-generate keytab). > > /mjtTo be clear, you need both the CNAME or alternate A records AND the SPN, DNS is not managed by samba-tool spn. The client doesn't resolve what the CNAME or A points to to find a canonical name as DNS is untrusted in AD, but by the same token the choice of naming technology (NetBIOS broadcase, local hosts file, DNS A, AAAA or CNAME) doesn't impact on the use of SPNs. So essentially, both DNS and SPNs need to be set up, and to match. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst.Net Limited Catalyst.Net Ltd - a Catalyst IT group company - Expert Open Source Solutions