[Samba] Samba 4.2 AD member accesible by name but not by IP
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Aug 4 09:37:29 UTC 2015
On 02/08/15 21:54, Ivo Karabojkov wrote:
> Hello,
>
> I have a strange problem with Samba AD member:
> It is accessible via \\server or \\server.domain.local
> But when I try to access it with its IP address, ex. \\10.15.10.1 I get
> access denied error and prompt for user and pass. Entering username and
> password with or without DOMAIN\ has no effect.
> The server is FreeBSD 10.1. It behaves the same way with Samba 4.1.18
> and now with Samba 4.2.2 both installed via FreeBSD ports.
>
> Here is the log of successful session - \\server (log level = 3):
> [2015/08/02 22:58:46.763454, 3] ../source3/smbd/oplock.c:1306(init_oplocks)
> init_oplocks: initializing messages.
> [2015/08/02 22:58:46.763603, 3] ../source3/smbd/process.c:1879(process_smb)
> Transaction 0 of length 108 (0 toread)
> [2015/08/02 22:58:46.763765, 3]
> ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_10
> [2015/08/02 22:58:46.829927, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'gssapi_spnego' registered
> [2015/08/02 22:58:46.830010, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'gssapi_krb5' registered
> [2015/08/02 22:58:46.830038, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'gssapi_krb5_sasl' registered
> [2015/08/02 22:58:46.834257, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'sasl-DIGEST-MD5' registered
> [2015/08/02 22:58:46.834298, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'spnego' registered
> [2015/08/02 22:58:46.834333, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'schannel' registered
> [2015/08/02 22:58:46.834355, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'naclrpc_as_system' registered
> [2015/08/02 22:58:46.834383, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'sasl-EXTERNAL' registered
> [2015/08/02 22:58:46.834406, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'ntlmssp' registered
> [2015/08/02 22:58:46.834432, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'http_basic' registered
> [2015/08/02 22:58:46.834454, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'http_ntlm' registered
> [2015/08/02 22:58:47.252403, 3]
> ../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
> Found account name from PAC: myuser [Firstname Lastname]
> [2015/08/02 22:58:47.252483, 3]
> ../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
> Kerberos ticket principal name is [myuser at DOMAIN.LOCAL]
> [2015/08/02 22:58:47.296995, 3]
> ../source3/param/loadparm.c:3647(lp_load_ex)
> lp_load_ex: refreshing parameters
> [2015/08/02 22:58:47.297109, 3]
> ../source3/param/loadparm.c:564(init_globals)
> Initialising global parameters
> [2015/08/02 22:58:47.297252, 3]
> ../source3/param/loadparm.c:2597(lp_do_section)
> Processing section "[global]"
> [2015/08/02 22:58:47.298033, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[pub]"
> [2015/08/02 22:58:47.298408, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[departments]"
> [2015/08/02 22:58:47.298766, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[users]"
> [2015/08/02 22:58:47.299116, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[konto]"
> [2015/08/02 22:58:47.299464, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[trz]"
> [2015/08/02 22:58:47.299826, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[shared]"
> [2015/08/02 22:58:47.299957, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[scan-acct]"
> [2015/08/02 22:58:47.300305, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[scan-production]"
> [2015/08/02 22:58:47.300660, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[scan-trade]"
> [2015/08/02 22:58:47.301021, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[scan-reception]"
> [2015/08/02 22:58:47.301402, 3]
> ../source3/param/loadparm.c:1495(lp_add_ipc)
> adding IPC service
> [2015/08/02 22:58:47.302583, 3]
> ../source3/smbd/password.c:144(register_homes_share)
> Adding homes service for user 'DOMAIN\myuser' using home directory:
> '/home/DOMAIN/myuser'
> [2015/08/02 22:58:47.303692, 3] ../source3/lib/access.c:338(allow_access)
> Allowed connection from 10.15.1.10 (10.15.1.10)
> [2015/08/02 22:58:47.303821, 3]
> ../source3/smbd/service.c:614(make_connection_snum)
> Connect path is '/var/smb/shared' for service [shared]
> [2015/08/02 22:58:47.303911, 3] ../source3/smbd/vfs.c:113(vfs_init_default)
> Initialising default vfs hooks
> [2015/08/02 22:58:47.303941, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
> Initialising custom vfs hooks from [/[Default VFS]/]
> [2015/08/02 22:58:47.303969, 3] ../source3/smbd/vfs.c:139(vfs_init_custom)
> Initialising custom vfs hooks from [zfsacl]
> [2015/08/02 22:58:47.304777, 2]
> ../lib/util/modules.c:191(do_smb_load_module)
> Module 'zfsacl' loaded
> [2015/08/02 22:58:47.305038, 3]
> ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
> string_to_sid: SID @Administrators is not in a valid format
> [2015/08/02 22:58:47.309850, 3]
> ../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
> string_to_sid: SID @DOMAIN\Domain admins is not in a valid format
> [2015/08/02 22:58:47.310846, 2] ../source3/smbd/uid.c:270(check_user_ok)
> check_user_ok: user DOMAIN\myuser is an admin user. Setting uid as 0
> [2015/08/02 22:58:47.311107, 2]
> ../source3/smbd/service.c:862(make_connection_snum)
> 10.15.1.10 (ipv4:10.15.1.10:63168) connect to service shared initially
> as user DOMAIN\myuser (uid=0, gid=10006) (pid 19606)
> [2015/08/02 22:58:47.312082, 3]
> ../source3/smbd/vfs.c:1143(check_reduced_name)
> check_reduced_name [desktop.ini] [/var/smb/shared]
> [2015/08/02 22:58:47.312135, 3]
> ../source3/smbd/vfs.c:1273(check_reduced_name)
> check_reduced_name: desktop.ini reduced to /var/smb/shared/desktop.ini
> [2015/08/02 22:58:47.312360, 3] ../source3/smbd/dosmode.c:196(unix_mode)
> unix_mode(desktop.ini) returning 0644
>
> Here is an unsuccessful session (by \\IP):
> [2015/08/02 22:59:03.126703, 3] ../source3/smbd/oplock.c:1306(init_oplocks)
> init_oplocks: initializing messages.
> [2015/08/02 22:59:03.126841, 3] ../source3/smbd/process.c:1879(process_smb)
> Transaction 0 of length 159 (0 toread)
> [2015/08/02 22:59:03.126882, 3]
> ../source3/smbd/process.c:1489(switch_message)
> switch message SMBnegprot (pid 19611) conn 0x0
> [2015/08/02 22:59:03.127014, 3]
> ../source3/smbd/negprot.c:575(reply_negprot)
> Requested protocol [PC NETWORK PROGRAM 1.0]
> [2015/08/02 22:59:03.127045, 3]
> ../source3/smbd/negprot.c:575(reply_negprot)
> Requested protocol [LANMAN1.0]
> [2015/08/02 22:59:03.127068, 3]
> ../source3/smbd/negprot.c:575(reply_negprot)
> Requested protocol [Windows for Workgroups 3.1a]
> [2015/08/02 22:59:03.127090, 3]
> ../source3/smbd/negprot.c:575(reply_negprot)
> Requested protocol [LM1.2X002]
> [2015/08/02 22:59:03.127121, 3]
> ../source3/smbd/negprot.c:575(reply_negprot)
> Requested protocol [LANMAN2.1]
> [2015/08/02 22:59:03.127143, 3]
> ../source3/smbd/negprot.c:575(reply_negprot)
> Requested protocol [NT LM 0.12]
> [2015/08/02 22:59:03.127165, 3]
> ../source3/smbd/negprot.c:575(reply_negprot)
> Requested protocol [SMB 2.002]
> [2015/08/02 22:59:03.127186, 3]
> ../source3/smbd/negprot.c:575(reply_negprot)
> Requested protocol [SMB 2.???]
> [2015/08/02 22:59:03.127371, 3]
> ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_FF
> [2015/08/02 22:59:03.129924, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'gssapi_spnego' registered
> [2015/08/02 22:59:03.129983, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'gssapi_krb5' registered
> [2015/08/02 22:59:03.130007, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'gssapi_krb5_sasl' registered
> [2015/08/02 22:59:03.134188, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'sasl-DIGEST-MD5' registered
> [2015/08/02 22:59:03.134265, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'spnego' registered
> [2015/08/02 22:59:03.134289, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'schannel' registered
> [2015/08/02 22:59:03.134312, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'naclrpc_as_system' registered
> [2015/08/02 22:59:03.134340, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'sasl-EXTERNAL' registered
> [2015/08/02 22:59:03.134381, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'ntlmssp' registered
> [2015/08/02 22:59:03.134404, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'http_basic' registered
> [2015/08/02 22:59:03.134426, 3]
> ../auth/gensec/gensec_start.c:885(gensec_register)
> GENSEC backend 'http_ntlm' registered
> [2015/08/02 22:59:03.337949, 3]
> ../source3/smbd/negprot.c:683(reply_negprot)
> Selected protocol SMB 2.???
> [2015/08/02 22:59:03.338430, 3]
> ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_10
> [2015/08/02 22:59:03.669244, 3]
> ../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
> Got NTLMSSP neg_flags=0xe2088297
> [2015/08/02 22:59:03.676620, 3]
> ../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth)
> Got user=[myuser] domain=[DOMAIN] workstation=[WSNAME] len1=24 len2=230
> [2015/08/02 22:59:03.676711, 3]
> ../source3/param/loadparm.c:3647(lp_load_ex)
> lp_load_ex: refreshing parameters
> [2015/08/02 22:59:03.676862, 3]
> ../source3/param/loadparm.c:564(init_globals)
> Initialising global parameters
> [2015/08/02 22:59:03.677014, 3]
> ../source3/param/loadparm.c:2597(lp_do_section)
> Processing section "[global]"
> [2015/08/02 22:59:03.677817, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[pub]"
> [2015/08/02 22:59:03.678176, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[departments]"
> [2015/08/02 22:59:03.678552, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[users]"
> [2015/08/02 22:59:03.678899, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[konto]"
> [2015/08/02 22:59:03.679247, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[trz]"
> [2015/08/02 22:59:03.679616, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[shared]"
> [2015/08/02 22:59:03.679741, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[scan-acct]"
> [2015/08/02 22:59:03.680097, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[scan-production]"
> [2015/08/02 22:59:03.680446, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[scan-trade]"
> [2015/08/02 22:59:03.680902, 2]
> ../source3/param/loadparm.c:2614(lp_do_section)
> Processing section "[scan-reception]"
> [2015/08/02 22:59:03.681356, 3]
> ../source3/param/loadparm.c:1495(lp_add_ipc)
> adding IPC service
> [2015/08/02 22:59:03.682265, 3]
> ../source3/auth/auth.c:178(auth_check_ntlm_password)
> check_ntlm_password: Checking password for unmapped user
> [DOMAIN]\[myuser]@[WSNAME] with the new password interface
> [2015/08/02 22:59:03.682295, 3]
> ../source3/auth/auth.c:181(auth_check_ntlm_password)
> check_ntlm_password: mapped user is: [DOMAIN]\[myuser]@[WSNAME]
> [2015/08/02 22:59:03.729944, 2]
> ../source3/auth/auth.c:315(auth_check_ntlm_password)
> check_ntlm_password: Authentication for user [myuser] -> [myuser]
> FAILED with error NT_STATUS_ACCESS_DENIED
> [2015/08/02 22:59:03.730020, 2]
> ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
> SPNEGO login failed: NT_STATUS_ACCESS_DENIED
> [2015/08/02 22:59:03.730658, 3]
> ../source3/smbd/server_exit.c:246(exit_server_common)
> Server exit (NT_STATUS_CONNECTION_RESET)
> [2015/08/02 22:59:03.735828, 3] ../source3/smbd/oplock.c:1306(init_oplocks)
> init_oplocks: initializing messages.
> [2015/08/02 22:59:03.735962, 3] ../source3/smbd/process.c:1879(process_smb)
> Transaction 0 of length 108 (0 toread)
> [2015/08/02 22:59:03.736140, 3]
> ../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
> Selected protocol SMB2_10
>
>
> Hers is my smb4.conf:
> # Global parameters
> [global]
> netbios name = SERVER
> workgroup = DOMAIN
> realm = DOMAIN.LOCAL
> server string = Server
> security = ADS
> encrypt passwords = Yes
>
> log level = 3
> log file = /var/log/samba4/log.%m
> max log size = 500
>
> hosts allow = 10.15. 127.0.0.1
> interfaces = localhost, re0
> bind interfaces only = Yes
>
> winbind trusted domains only = no
> winbind use default domain = no
> winbind enum users = yes
> winbind enum groups = yes
> # winbind refresh tickets = Yes
> winbind nested groups = Yes
> winbind expand groups = 10
> #
> # Samba 4.2 wbinfo works but getent no
> #
> require strong key = false
> winbind sealed pipes = false
> #client ldap sasl wrapping = plain
>
>
> idmap config *:backend = tdb
> idmap config *:range = 10000-2000000
>
> nsupdate command = /usr/local/bin/samba-nsupdate -g
>
> admin users = @Administrators, "@DOMAIN\Domain admins"
>
> vfs objects = zfsacl
> map acl inherit = yes
> ## Store DOS attributes in extended attributes (no mapping)
> map hidden = no
> map system = no
> map archive = no
> map readonly = no
> store dos attributes = no
>
> ## Extended attributes
> ea support = no
>
> veto files = /*.eml/*.nws/*.{*}/
> veto oplock files =
> /*.doc/*.xls/*.docx/*.xlsx/*.mdb/*.dbf/*.pst/*.ntx/*.idx/*.cdx/*.db/*.y??/*.xg?/*.mb/*.val/*.px/*.lck/
>
> Thanks in advance for any help.
>
>
>
>
Hi, what are you using for the domain DC, a windows server, samba4 as an
AD DC or something else ?
What DNS are you using ?
You may also like to look here to see how to set up a member server
correctly:
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
Rowland
More information about the samba
mailing list