Subscribe

kerberos authentication failed on client side because they are using shortname which is not in NS

we are using ONTAP 8.1.2P1 7-Mode multistore enabled

a vfiler SMB 2 enabled with a fully funktioning LanManager authentication and ADS Account with active trust relationship.

 

Now a Windows 2012 want to put their IIS log to a share on our vfiler, and the windows "profs" decided to use kerberos for authentication and this fails.

After some "investigations" from the WIN Admin they find out that the kerberos try to get informations from DNS with calling the shortname.domainsuffix instead of the DNS (no ADS integrated) wellknown FQDN.

 

FQDN is configured like my-server-name.mydomain.com

Shortname which is shown in the AD Computeraccount is like NetBios MYSERVERNAME

DNS Name which is shown in the AD Computeraccount is like Netbios.DomainSuffix =>  MYSERVERNAME.mydomain.de

- as this is not configured in the DNS (because no one will use this) therefore kerberos authentication failed.

 

Now the Win Guys simply renamed My DNS Record to get the kerberos working, but ups now the linux Samba Guys lost connection to their shares addressed by the DNS wellknown FQN ;(((  omg stupid thing Smiley Wink

 

Now i hope you can give me an idea what to do inside/around the ADS Kerberos handling to get the wellknown FQDN working with both guys, WIN and LINUX Samba without changing my whole Namingkonventions !

 

you are very welcome with your suggestions

 

imho