Centrify

Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-1816: How to configure Samba to access share with CNAME or DNS alias

Auditing and Monitoring Service ,   Authentication Service ,   Mac & PC Management Service ,  

12 April,16 at 11:02 AM

Applies to: All versions of Centrify-enabled Samba on all platforms

Question:
You are able to access the samba share using localhost, but not able to access share with CNAME or an alias.  Looking through the samba debug log, you will find similar error as below:

10] libads/kerberos_verify.c:ads_secrets_verify_ticket(302) ads_secrets_verify_ticket: enc type [3] failed to decrypt with error Bad encryption type
  3] libads/kerberos_verify.c:ads_verify_ticket(477)  ads_verify_ticket: krb5_rd_req with auth failed (Bad encryption type)
10] libads/kerberos_verify.c:ads_verify_ticket(486)  ads_verify_ticket: returning error NT_STATUS_LOGON_FAILURE
  1] smbd/sesssetup.c:reply_spnego_kerberos(350)  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
  3] smbd/error.c:error_packet_set(61)  error packet at smbd/sesssetup.c(352) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE

How do you configure Centrify agent to recognize the cname and able to access the samba share?

Answer:
There are two options to fix the issue:

1)  You can use the adkeytab command to add an spn by using the following syntax:
adkeytab --addspn --principal host/cnameserver --principal host/cnameserver.mydomain.com -u ADadmin -d mydomain.com

Before you run adkeytab command, you can check for your current Service Principal Names by executing adinfo --diag as root:

Computer Account Diagnostics
  Joined as: nemo
  Key Version: 3
  Service Principal Names:
                           nfs/nemo.daniel-domain.com
                           nfs/nemo
                           http/nemo.daniel-domain.com
                           http/nemo
                           host/nemo.daniel-domain.com
                           host/nemo
                           ftp/nemo.daniel-domain.com
                           ftp/nemo
                           cifs/nemo.daniel-domain.com
                           cifs/nemo
Centrify DirectControl Status
  Running in connected mode
Licensed Features: Enabled

[root@nemo /]# adkeytab --addspn --principal host/nemoalias.daniel-domain.com --principal host/nemoalias -u daniel.luu -d daniel-domain.com
daniel.luu@DANIEL-DOMAIN.COM's password:
Success: Add SPNs: Default Key Tab

To verify, try running the adinfo --diag again will show:

Computer Account Diagnostics
  Joined as: nemo
  Key Version: 3
  Service Principal Names:
                           host/nemoalias.daniel-domain.com
                           host/nemoalias
                           nfs/nemo.daniel-domain.com
                           nfs/nemo
                           http/nemo.daniel-domain.com
                           http/nemo
                           host/nemo.daniel-domain.com
                           host/nemo
                           ftp/nemo.daniel-domain.com
                           ftp/nemo
                           cifs/nemo.daniel-domain.com
                           cifs/nemo

Now, you will be able to access the samba share with cname.

or

2)  For this option, you'd need to leave the domain by running adleave, then join it back to domain using --alias option with the cname.  For example, run
adjoin -a nemoalias -z zone1 -u daniel.luu daniel-domain.com

Run adbindproxy.pl or adsamba.sh, depending on version, once more and try to access the share again.  You might need to logout of Windows and login again to access the new samba share.

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

 articleKB-6041: How to show current license type in use by adclient articleKB-6040: How to change the license type in use after adclient successful joined to the AD? articleKB-6073: How to join the Linux/Unix Centrify Server to Active Directory with specific Computer Role? articleKB-6056: How to report the group policy settings that are in effect for the local computer? articleKB-6038: How to specify the license type to use when joining the server to AD using adjoin? articleKerberos SSO - Handling Disjointed Active Directory and UNIX DNS namespaces with Centrify articleKB-2067: adinfo "joined as" does not update after dns suffix changes articleKB-2768: Can a server be joined with a different hostname than what is set in the DNS? articleKB-20210: Common Questions Regarding Centrify DirectControl and CoreOS