[Samba] Strange winbind behavior with netbios name, perfect with ip address

Martin Zielinski mz at seh.de
Mon Jul 11 09:02:23 GMT 2005 

Hi!
Please verify, that in both cases kerberos authentication is used.
I'm not shure, if this the reason on your case, but maybe it's worth a 
look - as I found completly different behaviour, when using ip-addresses 
or hostnames to access a member server:

When joining the AD domain, a ticket with the hostname of the Samba 
machine is created on the AD-Server.
When you connect to the server via \\ip-address\sharename, the client 
tries to receive a ticket for a server with the name "ip-address (e.g. 
192.168.3.188)".
The server does not have a ticket for this name (only for the hostname) 
and returns a "have no ticket for this" error to the client.
Now your client tries the next method: NTLM, which might succeed.

In the other case, the AD-Server might pass your client a ticket, which
fails to be used for some reason. In this case, your client cannot get 
its required access rights.

I've had cases where AD was completly broken - but I didn't recongize it 
because I allways used \\ip-address\ to connect to the server.

Bye,
Martin

Hamish wrote:
> Hi all
> This is a bit of a continuation of an old thread, which I have had no joy in 
> fixing. We have a samba server authenticating against a W2k3 server in 
> security = ADS mode.
> 
> If there is a file in a share, owned by user."domain users" and chmod 700, it 
> would normally be ONLY readable by that user.
> 
> This is true only if the user goes to \\ip.add.of.srv\share - if he goes to 
> \\servername\share, he cannot read the file. 
> 
> If the user goes to \\servername\share and creates a file, it is owned by him, 
> so the server can distinguish the username.
> 
> If i set the permissions g+r on the file, then the user can see the file just 
> fine. Unfortunately so can anyone in "domain users" - this is not good for 
> files which need to be readable only for the user.
> 
> I am completely stumped, can anyone shed any light on this?
> 
> Setup:
> SuSE Linux 9.0 (i586)
> samba Version 3.0.14a-SUSE
> winbindd Version 3.0.14a-SUSE
> 
> Cheers,
> Hamish
> 


-- 
Martin Zielinski             mz at seh.de
Software Development
SEH Computertechnik GmbH     www.seh.de

More information about the samba mailing list