Web lists-archives.com

Re: [Samba] [Curiosity] 'netbios aliases' works in AD mode?




On Thu, 2017-12-07 at 10:48 +0100, Marco Gaiarin via samba wrote:
> Mandi! Andrew Bartlett via samba
>   In chel di` si favelave...
> 
> > > This lead me to another question: in this way, aliases are ''domain
> > > wide'' right? Eg, i cannot have a DM aliased 'file' in a LAN and
> > > another DM aliased 'file' in another LAN, as was used before with NT
> > > like domains (two different domains).
> > Correct, you can't use the different netbios namespaces to do that. 
> > Not that real NT4 allowed different netbios namespaces either, but all
> > sorts of games were possible (I've done that myself back in the day
> > with Samba).  
> 
> Good to know. Thanks.
> 
> 
> > You can't even use DNS search paths on the clients and then fully
> > qualfied aliases as the client will ask for a ticket for exactly the
> > name stated, not the FQDN as this avoids in-secure DNS being an attack
> > point. 
> 
> Mmmhhh... i try to do an example.
> 
> Supposing we have 'vdmsv1.ad.fvg.lnf.it' aliased with 'file.sv.lnf.it'
> in LAN 1, and 'vdmpp1.ad.fvg.lnf.it' aliased with 'file.pp.lnf.it' in
> LAN 2.
> 
> If client in LAN 1 have 'sv.lnf.it' in search path, and in LAN 2
> 'pp.lnf.it', i cannot alias 'file' on both because the ticket get asked
> for 'vdmsv1.ad.fvg.lnf.it' and 'vdmpp1.ad.fvg.lnf.it'. Right?

No, it will ask for 'file'.  If the servicePrincipalName is not unique,
the lookup will fail.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba