[Curiosity] 'netbios aliases' works in AD mode?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[Curiosity] 'netbios aliases' works in AD mode?

Samba - General mailing list

As stated in subject.

I suppose in 'DC mode' no, but as DM i can define an alias for the
machine?

Looking at:

        https://bugzilla.samba.org/show_bug.cgi?id=1703

seems 'yes' to me...


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [Curiosity] 'netbios aliases' works in AD mode?

Samba - General mailing list
We haved used it on a domain member server, yes.

Only one thing: when you have a compteraccount memberserver$ in your AD,
you cannot use "memberserver" as an alias on another machine)

MJ

On 12/05/2017 04:00 PM, Marco Gaiarin via samba wrote:

>
> As stated in subject.
>
> I suppose in 'DC mode' no, but as DM i can define an alias for the
> machine?
>
> Looking at:
>
> https://bugzilla.samba.org/show_bug.cgi?id=1703
>
> seems 'yes' to me...
>
>
> Thanks.
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [Curiosity] 'netbios aliases' works in AD mode?

Samba - General mailing list
On Tue, 2017-12-05 at 16:14 +0100, mj via samba wrote:
> We haved used it on a domain member server, yes.
>
> Only one thing: when you have a compteraccount memberserver$ in your AD,
> you cannot use "memberserver" as an alias on another machine)

And you should register any such alias as a servicePrincpalName.

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [Curiosity] 'netbios aliases' works in AD mode?

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! mj via samba
  In chel di` si favelave...

> Only one thing: when you have a compteraccount memberserver$ in your AD, you
> cannot use "memberserver" as an alias on another machine)

Ok, tanks for the not.

Anyway, no: i only need to define some ''common'' service name (FILE,
CUPS; ...) si i don't need to rewrite so much scripts. ;)

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [Curiosity] 'netbios aliases' works in AD mode?

Samba - General mailing list
In reply to this post by Samba - General mailing list
Mandi! Andrew Bartlett via samba
  In chel di` si favelave...

> > We haved used it on a domain member server, yes.
> > Only one thing: when you have a compteraccount memberserver$ in your AD,
> > you cannot use "memberserver" as an alias on another machine)
> And you should register any such alias as a servicePrincpalName.

Ahem, looking at the wiki ad google does not help me.


Supposing to have a DM like 'vdmsv1.ad.fvg.lnf.it', and i need to
create an alias 'file', i need to add 'file' to 'netbios aliases' and
also do something like:

        samba-tool spn add host/vdmsv1.ad.fvg.lnf.it file.ad.fvg.lnf.it


This lead me to another question: in this way, aliases are ''domain
wide'' right? Eg, i cannot have a DM aliased 'file' in a LAN and
another DM aliased 'file' in another LAN, as was used before with NT
like domains (two different domains).

Right?

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [Curiosity] 'netbios aliases' works in AD mode?

Samba - General mailing list
On Wed, 2017-12-06 at 11:19 +0100, Marco Gaiarin via samba wrote:

> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
>
> > > We haved used it on a domain member server, yes.
> > > Only one thing: when you have a compteraccount memberserver$ in your AD,
> > > you cannot use "memberserver" as an alias on another machine)
> >
> > And you should register any such alias as a servicePrincpalName.
>
> Ahem, looking at the wiki ad google does not help me.
>
>
> Supposing to have a DM like 'vdmsv1.ad.fvg.lnf.it', and i need to
> create an alias 'file', i need to add 'file' to 'netbios aliases' and
> also do something like:
>
> samba-tool spn add host/vdmsv1.ad.fvg.lnf.it file.ad.fvg.lnf.it
>
>
> This lead me to another question: in this way, aliases are ''domain
> wide'' right? Eg, i cannot have a DM aliased 'file' in a LAN and
> another DM aliased 'file' in another LAN, as was used before with NT
> like domains (two different domains).

Correct, you can't use the different netbios namespaces to do that.
Not that real NT4 allowed different netbios namespaces either, but all
sorts of games were possible (I've done that myself back in the day
with Samba).  

You can't even use DNS search paths on the clients and then fully
qualfied aliases as the client will ask for a ticket for exactly the
name stated, not the FQDN as this avoids in-secure DNS being an attack
point.

I hope this clarifies things,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [Curiosity] 'netbios aliases' works in AD mode?

Samba - General mailing list
Mandi! Andrew Bartlett via samba
  In chel di` si favelave...

> > This lead me to another question: in this way, aliases are ''domain
> > wide'' right? Eg, i cannot have a DM aliased 'file' in a LAN and
> > another DM aliased 'file' in another LAN, as was used before with NT
> > like domains (two different domains).

> Correct, you can't use the different netbios namespaces to do that.
> Not that real NT4 allowed different netbios namespaces either, but all
> sorts of games were possible (I've done that myself back in the day
> with Samba).  

Good to know. Thanks.


> You can't even use DNS search paths on the clients and then fully
> qualfied aliases as the client will ask for a ticket for exactly the
> name stated, not the FQDN as this avoids in-secure DNS being an attack
> point.

Mmmhhh... i try to do an example.

Supposing we have 'vdmsv1.ad.fvg.lnf.it' aliased with 'file.sv.lnf.it'
in LAN 1, and 'vdmpp1.ad.fvg.lnf.it' aliased with 'file.pp.lnf.it' in
LAN 2.

If client in LAN 1 have 'sv.lnf.it' in search path, and in LAN 2
'pp.lnf.it', i cannot alias 'file' on both because the ticket get asked
for 'vdmsv1.ad.fvg.lnf.it' and 'vdmpp1.ad.fvg.lnf.it'. Right?


> I hope this clarifies things,

Sure, but... really i don't found many examples about 'spn add' and so
i'm still on doubt. This is right?

> > Supposing to have a DM like 'vdmsv1.ad.fvg.lnf.it', and i need to
> > create an alias 'file', i need to add 'file' to 'netbios aliases' and
> > also do something like:
> >
> > samba-tool spn add host/vdmsv1.ad.fvg.lnf.it file.ad.fvg.lnf.it

Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [Curiosity] 'netbios aliases' works in AD mode?

Samba - General mailing list
On Thu, 2017-12-07 at 10:48 +0100, Marco Gaiarin via samba wrote:

> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
>
> > > This lead me to another question: in this way, aliases are ''domain
> > > wide'' right? Eg, i cannot have a DM aliased 'file' in a LAN and
> > > another DM aliased 'file' in another LAN, as was used before with NT
> > > like domains (two different domains).
> > Correct, you can't use the different netbios namespaces to do that.
> > Not that real NT4 allowed different netbios namespaces either, but all
> > sorts of games were possible (I've done that myself back in the day
> > with Samba).  
>
> Good to know. Thanks.
>
>
> > You can't even use DNS search paths on the clients and then fully
> > qualfied aliases as the client will ask for a ticket for exactly the
> > name stated, not the FQDN as this avoids in-secure DNS being an attack
> > point.
>
> Mmmhhh... i try to do an example.
>
> Supposing we have 'vdmsv1.ad.fvg.lnf.it' aliased with 'file.sv.lnf.it'
> in LAN 1, and 'vdmpp1.ad.fvg.lnf.it' aliased with 'file.pp.lnf.it' in
> LAN 2.
>
> If client in LAN 1 have 'sv.lnf.it' in search path, and in LAN 2
> 'pp.lnf.it', i cannot alias 'file' on both because the ticket get asked
> for 'vdmsv1.ad.fvg.lnf.it' and 'vdmpp1.ad.fvg.lnf.it'. Right?

No, it will ask for 'file'.  If the servicePrincipalName is not unique,
the lookup will fail.

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [Curiosity] 'netbios aliases' works in AD mode?

Samba - General mailing list
Mandi! Andrew Bartlett via samba
  In chel di` si favelave...

> No, it will ask for 'file'.  If the servicePrincipalName is not unique,
> the lookup will fail.

OK. Thanks.


Sorry again, but really i don't find examples for SPN definition. The
commandline:

        samba-tool spn add host/vdmsv1.ad.fvg.lnf.it file.ad.fvg.lnf.it

is corect to define alias 'FILE' for domain member 'vdmsv1'?


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: [Curiosity] 'netbios aliases' works in AD mode?

Samba - General mailing list

Ahem no one reply me.


A little fast-rewind: i need to have some 'aliases' to my servers (DM);
seems i need to add in smb.conf:

 netbios aliases = FILESV

but also add a 'SPN'; trying to look around for an examples, lead me to
''nothing'', or to examples that seems to me unrelated.

Supposing the domain is 'ad.fvg.lnf.it' and the FQDN of the real host
is 'vdmsv1.ad.fvg.lnf.it', i need to do:

> samba-tool spn add host/vdmsv1.ad.fvg.lnf.it filesv.ad.fvg.lnf.it

Right?! Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba