[Samba] Can access shares by IP, not by hostname from Windows clients (AD, W2K8 R2, Linux, Samba 3.6.1, KRB)

Guido Leenders guido.leenders at invantive.com
Fri Jan 6 13:39:29 MST 2012 

Hello,

I am running a Samba version 3.6.1 and since several months we can no longer access shares on that server by hostname. This only occurs for Windows clients (Windows 2008 R2, Windows 7). For Apple MacOS 10.5 and Linux clients, we can access the shares by \\ws86<file:///\\ws86> using Active Directory registered passwords. For Windows, we must use \\192.168.172.26<file:///\\192.168.172.26>. Neither \\ws86<file:///\\ws86> nor \\WS86<file:///\\WS86> works.

The only IP address of ws86 is 192.168.172.26. Netbios is also enabled, but of course there is an Active Directory environment. Active Directory is also used for security (see smb.conf). Winbind not running, smb and nmb are. Successfully kinit-ed and joined domain.

Logging contains:
[2012/01/06 21:16:11.824330,  1] smbd/sesssetup.c:342(reply_spnego_kerberos)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

With debugging on level 15, typical errors include (samba log with level 15 is too large to post here):
  libads/kerberos_verify.c:248: krb5_rd_req_return_keyblock_from_keytab(host/ws86.invantive.local at INVANTIVE.LOCAL) failed: Wrong principal in request

and

  libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Bad encryption type
[2012/01/06 21:16:50.593758, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [1] failed to decrypt with error Bad encryption type
[2012/01/06 21:16:50.593846, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [3] failed to decrypt with error Bad encryption type
[2012/01/06 21:16:50.593929, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Bad encryption type
[2012/01/06 21:16:50.594012, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [1] failed to decrypt with error Bad encryption type
[2012/01/06 21:16:50.594094, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [3] failed to decrypt with error Bad encryption type

I have tried various enctypes. Made changes to allowed enctypes on 2008 R2 active directory server. No success. Even with experience back to Samba 2.0, this is too hard for me.

Can someone provide me with a hint or pointer?

Regards,

Guido

--

[global]
workgroup = INVANTIVE
realm = INVANTIVE.LOCAL
security = ads
kerberos method=secrets and keytab
template shell = /bin/ksh
winbind use default domain = true
winbind offline logon = false
debuglevel=1
password server = ws54
winbind enum groups = yes
winbind enum users = yes
winbind nested groups = yes
winbind separator = +
server string = Samba %v
interfaces = lo eth0 192.168.172.26/24
passdb backend = tdbsam
dns proxy = yes
cups options = raw
username map = /etc/samba/smbusers
[homes]
comment = Home Directories
browseable = no
writable = yes
inherit acls = yes
delete readonly = yes
create mask = 0600
directory mask = 0700
oplocks = yes
force create mode = 0600
force directory mode = 0700
valid users = %S,INVANTIVE\Administrator,root,INVANTIVE\!gle3
force user = %S
hide files = /desktop.ini/$RECYCLE.BIN/
include=/etc/samba/smb.conf.invantive

--

root at ws86:/etc/samba# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  22 host/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 host/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 host/ws86.invantive.local at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  22 host/ws86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 host/ws86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 host/ws86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  22 WS86$@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 WS86$@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 WS86$@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  13 ws86/Administrator at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  13 ws86/Administrator at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  13 ws86/Administrator at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
   3 host/WS86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
   3 host/WS86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
   3 host/WS86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  22 ws86/ws86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 ws86/ws86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 ws86/ws86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 WS86$@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 WS86$@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
   3 ws86/WS86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  14 ws86/Administrator at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  14 ws86/Administrator at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  14 ws86/Administrator at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  22 ws86/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 ws86/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 ws86/ws86.invantive.local at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 host/ws86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 host/ws86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  21 host/ws86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
   3 ws86/WS86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
   3 ws86/WS86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 host/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 ws86/ws86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 ws86/ws86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  21 WS86$@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 host/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  21 host/ws86.invantive.local at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 ws86/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 ws86/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  21 ws86/ws86.invantive.local at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 ws86/ws86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5)

--

net view \\ws86
System error 5 has occurred.

Access is denied.

net view \\192.168.172.26
Shared resources at \\192.168.172.26

Samba 3.6.1

Share name            Type  Used as  Comment

-------------------------------------------------------------------------------
backup                Disk           Backup
...
The command completed successfully.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: krb5.conf
URL: <http://lists.samba.org/pipermail/samba/attachments/20120106/4ca60da6/attachment.ksh>

More information about the samba mailing list