0

I have two Samba4 AD domain members that serve a couple of replicated shares to users at two sites (same domain, different subnets). Bandwidth and latency don't allow for a clustered solution, so replication between servers A and B runs periodically via a couple of osync scripts. Some users move back & forth between those two sites and expect to find their shares under the alias of 'C' for servers A and B, respectively.

Easy enough to implement in DNS ('split-brain'?; C->A ANAME at site 1, C->B ANAME at site 2), but domain authentication downgrades to NTLM instead of Kerberos. A catch-all 'HOST/C.mydomain.com' alias to either (physical) host's SPN list allows for Kerberos auth to one of the servers, but a duplicate SPN for A and B won't work (duh!).

Is there any way of implementing the same CIFS service alias for both hosts w/o running into duplicate SPN issues? Or, maybe I am looking at this all wrong, and there is a solution that would allow for a 'pretend' host C entry in Active Directory?

Any pointers greatly appreciated!

Mike

canut
  • 1
  • 3
  • 1
    Take a look at DFS Namespaces. https://docs.microsoft.com/en-us/windows-server/storage/dfs-namespaces/dfs-overview That will let users use a consistent name for a resource, and DFS will point them to the "closer" one automagically. – Doug Deden Feb 11 '19 at 17:58
  • Can you run the CIFS service under the same dedicated user/service account on both servers? This would allow you to add the SPN to the service account, and not the server itself. Kerberos authentication would only work when accessing the shares by that name, of course, you would face the same problem when attempting to access the CIFS shares by server name instead of the alias name. – Semicolon Feb 12 '19 at 18:18
  • Domain-based DFS Namespaces would certainly work, though I'm unsure if that's an appropriate suggestion for an environment that (as far as known to us) is running without Windows. – Semicolon Feb 12 '19 at 18:19
  • Thanks, Guys, for your pointers so far. Yes, this is a heterogeneous environment with somewhat outdated Windows (2008r2) and Samba (4.5) DC implementations. Not sure whether the DFS approach would work, but there appears to be a way to add service aliases to LDAP objects. Not something to be tried in a production environment on a workday, though :) I'll give it a shot and update this thread accordingly. – canut Feb 13 '19 at 06:26

0 Answers0