Web lists-archives.com

Re: [Samba] Joining samba 3.6 to AD with SPN target name validation hardening




On Thu, 23 Nov 2017 13:07:20 +0100
Martin Bruset Solberg via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi
> 
> I'm trying to join a samba 3.6.23 client (RHEL 6.8) to a Windows
> Server 2012 R2 AD domain. The DC has been hardened with the GPO
> setting "Microsoft network server: Server SPN target name validation
> level" set to "Required from client".
> 
> Attempting to join fails with "Failed to join domain: failed to
> lookup DC info for domain 'MY.DOMAIN.COM' over rpc: Access denied" on
> the client side. On the server side, the fail message is an Audit
> Failure: "Spn check for SMB/SMB2 fails." (Event 5168).
> 
> Trying to join to the domain with samba client version 4.6.2 (RHEL
> 7.4) is successful.
> 
> Setting the GPO setting to "Off", results in a successful join for
> RHEL 6.8.
> 
> The smb.conf and krb5.conf is the same on the two different clients.
> Somehow the SPN is provided differently on the two samba versions, as
> the check fails on 3.6.23, but not on 4.6.2. Can I correct this
> behavior on 3.6 somehow? Is the answer in the krb5.conf?
> 
> 
> Martin Bruset Solberg

If both machines are using the same krb5.conf, then this isn't likely
to be the problem. If you insist on running 3.6.23, then you will
probably need to contact Red-hat support, 3.6 has been EOL for quite
sometime now as far as Samba is concerned and your problem isn't
likely to be fixed by Samba.

There have been very many changes in Samba since 3.6.23, so I suppose
the easiest fix would be to upgrade your Samba on the RHEL 6.8 machine.

Rowland 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba