Valentin Cheche
2014-03-09 14:20:01 UTC
Hello,
I have setup a Samba 4 ADDC following the tutorial in the wiki. I
need it to be a DC and a fileserver.
Everything works fine and dandy except that I cannot access the
file shares via a DNS alias, instead of the original hostname/DNS
name. And I need this for various reasons, enough to halt going live
with it if it doesn't work. :-(
When accessing via the machine's fqdn everything works. When using
a DNS alias I can get to list the shares but I get access denied when
trying to get into them.
I did not find any relevant info in the wiki or online for this
usecase with samba4. I may be wrong, but....I did spend hours
debugging this.
I only stumbled upon the same problem when using Ms ADDC servers,
which pointed out 2 necessary configs in order for aliases to work:
1. Add the DisableStrictNameChecking value in the server-side registry
in the LanMan parameters.
2. Set the 2 required SPNs for every alias needed (windows tool syntax).
setspn -a host/aliasname targetserver_netbios_name
setspn -a host/aliasname.domain.ext targetserver_netbios_name
My env details:
Hostname: dc0
Domain: timco.int
OS is Debian 7.4 x64
Samba 4.1.5 compiled from master, domain deployed with Internal_DNS
Network is composed from Win 7 SP1 x64 machines
So, added the necessary SPNs:
samba-tool spn add HOST/file DC0$
samba-tool spn add HOST/file.timco.int DC0$
Then I setup the alias to dc0.timco.int into DNS:
- first as a CNAME (file.timco.int) to dc0.timco.int --> failed
- then as an A record pointing to the same IP as dc0.timco.int. --> failed
Now am I missing something? I even remotely accessed the registry
tree Samba4 exposes and added the DisableStrictNameChecking value from
a Win machine.
If there is a way to make this work, I have another, even more wierd usecase.
I may need to expose the shares under an older DNS domain suffix,
different from the one in Samba4.
Meaning: in an upstream DNS server I have an older suffix
(oldtim.local) that needs to stay around for a while and the old
fileserver was under fileserver.oldtim.local.
Now if I point fileserver.oldtim.local (via A record or CNAME) to
the Samba4 server, is there a way to make it work? So far, it acts
just like file.timco.int. I can list the shares, but get access denied
when trying to dig in.
As a sidenote, for now I am a complete noob in everything Kerberos,
and just learning now the paraphernalia and inner works of it, so
please bear with me. (I have a feeling the problem here lies in krb,
but not sure where to look.)
Thank you,
Val.
I have setup a Samba 4 ADDC following the tutorial in the wiki. I
need it to be a DC and a fileserver.
Everything works fine and dandy except that I cannot access the
file shares via a DNS alias, instead of the original hostname/DNS
name. And I need this for various reasons, enough to halt going live
with it if it doesn't work. :-(
When accessing via the machine's fqdn everything works. When using
a DNS alias I can get to list the shares but I get access denied when
trying to get into them.
I did not find any relevant info in the wiki or online for this
usecase with samba4. I may be wrong, but....I did spend hours
debugging this.
I only stumbled upon the same problem when using Ms ADDC servers,
which pointed out 2 necessary configs in order for aliases to work:
1. Add the DisableStrictNameChecking value in the server-side registry
in the LanMan parameters.
2. Set the 2 required SPNs for every alias needed (windows tool syntax).
setspn -a host/aliasname targetserver_netbios_name
setspn -a host/aliasname.domain.ext targetserver_netbios_name
My env details:
Hostname: dc0
Domain: timco.int
OS is Debian 7.4 x64
Samba 4.1.5 compiled from master, domain deployed with Internal_DNS
Network is composed from Win 7 SP1 x64 machines
So, added the necessary SPNs:
samba-tool spn add HOST/file DC0$
samba-tool spn add HOST/file.timco.int DC0$
Then I setup the alias to dc0.timco.int into DNS:
- first as a CNAME (file.timco.int) to dc0.timco.int --> failed
- then as an A record pointing to the same IP as dc0.timco.int. --> failed
Now am I missing something? I even remotely accessed the registry
tree Samba4 exposes and added the DisableStrictNameChecking value from
a Win machine.
If there is a way to make this work, I have another, even more wierd usecase.
I may need to expose the shares under an older DNS domain suffix,
different from the one in Samba4.
Meaning: in an upstream DNS server I have an older suffix
(oldtim.local) that needs to stay around for a while and the old
fileserver was under fileserver.oldtim.local.
Now if I point fileserver.oldtim.local (via A record or CNAME) to
the Samba4 server, is there a way to make it work? So far, it acts
just like file.timco.int. I can list the shares, but get access denied
when trying to dig in.
As a sidenote, for now I am a complete noob in everything Kerberos,
and just learning now the paraphernalia and inner works of it, so
please bear with me. (I have a feeling the problem here lies in krb,
but not sure where to look.)
Thank you,
Val.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba