SOLVED
Home

Cross domain AD auth for a NAS using an alias name

%3CLINGO-SUB%20id%3D%22lingo-sub-1066042%22%20slang%3D%22en-US%22%3ECross%20domain%20AD%20auth%20for%20a%20NAS%20using%20an%20alias%20name%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1066042%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20is%20a%20bit%20of%20an%20interesting%20one.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20got%20a%20NAS%20system%20that%20for%20various%20reasons%20has%20multiple%20names%20on%20the%20network%2C%20about%205%20at%20the%20last%20count.%20SMB1%20is%20now%20disabled%20across%20the%20board%20which%20is%20causing%20issues%20with%20the%20NAS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20NAS%20is%20accessed%20using%20it's%20actual%20hostname%2C%20all%20is%20good.%3C%2FP%3E%3CP%3EIf%20the%20NAS%20is%20access%20using%20an%20alias%20it%20works%20some%20of%20the%20time%20but%20not%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20big%20problem%20is%20that%20when%20the%20NAS%20is%20accessed%20using%20an%20alias%20name%20from%20a%20trusted%20domain%20it%20just%20throws%20up%20an%20access%20denied.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20tried%20a%20few%20things%20with%20SPN's%20as%20per%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F3181029%2Fsmb-file-server-share-access-is-unsuccessful-through-dns-cname-alias%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.microsoft.com%2Fen-gb%2Fhelp%2F3181029%2Fsmb-file-server-share-access-is-unsuccessful-through-dns-cname-alias%3C%2FA%3E%20but%20I've%20not%20been%20able%20to%20get%20it%20to%20work.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%2C%20how%20do%20I%20get%20computers%20in%20domain2%20to%20access%20a%20NAS%20joined%20to%20domain1%20using%20an%20alias%20name%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20suggestions%20very%20gratefully%20received%20as%20I've%20run%20out%20of%20ideas.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1066042%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENAS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EStorage%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1066081%22%20slang%3D%22en-US%22%3ERe%3A%20Cross%20domain%20AD%20auth%20for%20a%20NAS%20using%20an%20alias%20name%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1066081%22%20slang%3D%22en-US%22%3E%3CP%3EAnd%20resolved!%20I%20was%20missing%20the%20HOST%2F%20part%20in%20front%20of%20the%20SPN.%3C%2FP%3E%3CP%3EOnce%20I%20removed%20the%20SPN%20and%20readded%20it%20with%20the%20HOST%2F%20part%20it%20all%20started%20working.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENext%20time%20I'll%20take%20a%20break%20from%20the%20computer%20before%20trying%20again!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Gary Williams
Occasional Contributor

This is a bit of an interesting one.

 

I've got a NAS system that for various reasons has multiple names on the network, about 5 at the last count. SMB1 is now disabled across the board which is causing issues with the NAS.

 

If the NAS is accessed using it's actual hostname, all is good.

If the NAS is access using an alias it works some of the time but not all.

 

The big problem is that when the NAS is accessed using an alias name from a trusted domain it just throws up an access denied.

 

I've tried a few things with SPN's as per https://support.microsoft.com/en-gb/help/3181029/smb-file-server-share-access-is-unsuccessful-throug... but I've not been able to get it to work.

 

So, how do I get computers in domain2 to access a NAS joined to domain1 using an alias name?

 

Any suggestions very gratefully received as I've run out of ideas.

 

Thanks!

1 Reply
Solution

And resolved! I was missing the HOST/ part in front of the SPN.

Once I removed the SPN and readded it with the HOST/ part it all started working.

 

Next time I'll take a break from the computer before trying again!