SMB3, NAS aliases and cross domain auth
My workplace has been going through a big excercise to fully patch all servers and ensure that any and all NAS devices are not using SMB1. Shortly after SMB1 was disabled across the board we started seeing weird intermittant issues on a NAS device that was running the latest version of FreeNAS.
Every few days, connections to an alias of the NAS device name would just stop authenticating. Sometimes a reboot would fix it and sometimes it would not, clearly this was not an acceptable state so I started to do some digging into the problem.
For background, all servers are on "domain1.com" and users are on "domain2.com". The NAS is a member of domain1 as it is accessed primarily by users. AD nested groups are used to service accounts from domain1 access to resources on domain2. It is something of a hold over from NT4 days that still has not been dealt with.
The decision to use alias names was taken because the NAS is used mostly for backups and some of the backups are quite big (mutli-TB in size) and the servers that backup to the NAS are on different VLANs. The NAS device is a Storinator that runs FreeNAS and is configured in a LAGG and has several sub interfaces that are hosted on different VLANs so that the backups can go direct and not over the firewall which hosts the gateways for the network. The alias names are used just to avoid the DBA's and other developers having to remember IP addresses.
This means that the NAS is dealing with cross domain authentication, alias names and SMB2/3.
After some digging around Microsoft's knowledge base I did come across an article that I thought would be of some help. The problem with the article is that the part I need is rather strangely worded.
Not recommended We do not recommend that you resolve this issue for a file server that is not Windows-based by typing the following commands in an elevated Command Prompt window on a Windows-based computer
I have no issues with MS providing information and tagging it as not recommend but do tell me what IS recommended for a file server that is non windows based!!
Well, they do not have a recommended practice so I decided to give this a go and I found that it worked perfectly as long as the NAS was referred to by a DNS name that corresponed to a name which is part of the domain that the NAS is hosted on.
In my example, the NAS is domain1 so it must have a name that is alias.domain1.com and that alias name must be added as a HOST based SPN for the computer object.
For example, if the NAS name is NAS.domain1.com and I want to give it an alias of NAS-alias.domain1.com I'd need the following SPN's:
setspn -a HOST/NAS-alias nas.domain1.com
setspn -a HOST/NAS-alias.domain1.com nas.domain1.abc.local
You can list all the SPN's on an object with the command:
setspn -l nas.domain1.com
and you can delete an SPN with:
setspn -d HOST/NAS-alias
MS have a detailed article on the setspn command here.
The fix I've described above does work for a non windows NAS device but I am still curious to know why MS do not recommend it and what they would suggest as a recommended fix for such a setup.
Subscribe to Ramblings of a Sysadmin
Get the latest posts delivered right to your inbox