[Samba] Samba 4.2 AD member accesible by name but not by IP

Ivo Karabojkov karabojkov at kit.bg
Sun Aug 2 20:54:14 UTC 2015


Hello,

I have a strange problem with Samba AD member:
It is accessible via \\server or \\server.domain.local
But when I try to access it with its IP address, ex. \\10.15.10.1 I get
access denied error and prompt for user and pass. Entering username and
password with or without DOMAIN\ has no effect.
The server is FreeBSD 10.1. It behaves the same way with Samba 4.1.18
and now with Samba 4.2.2 both installed via FreeBSD ports.

Here is the log of successful session - \\server (log level = 3):
[2015/08/02 22:58:46.763454,  3] ../source3/smbd/oplock.c:1306(init_oplocks)
  init_oplocks: initializing messages.
[2015/08/02 22:58:46.763603,  3] ../source3/smbd/process.c:1879(process_smb)
  Transaction 0 of length 108 (0 toread)
[2015/08/02 22:58:46.763765,  3]
../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_10
[2015/08/02 22:58:46.829927,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2015/08/02 22:58:46.830010,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2015/08/02 22:58:46.830038,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2015/08/02 22:58:46.834257,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'sasl-DIGEST-MD5' registered
[2015/08/02 22:58:46.834298,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'spnego' registered
[2015/08/02 22:58:46.834333,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'schannel' registered
[2015/08/02 22:58:46.834355,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2015/08/02 22:58:46.834383,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2015/08/02 22:58:46.834406,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2015/08/02 22:58:46.834432,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'http_basic' registered
[2015/08/02 22:58:46.834454,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2015/08/02 22:58:47.252403,  3]
../auth/kerberos/kerberos_pac.c:386(kerberos_decode_pac)
  Found account name from PAC: myuser [Firstname Lastname]
[2015/08/02 22:58:47.252483,  3]
../source3/auth/user_krb5.c:51(get_user_from_kerberos_info)
  Kerberos ticket principal name is [myuser at DOMAIN.LOCAL]
[2015/08/02 22:58:47.296995,  3]
../source3/param/loadparm.c:3647(lp_load_ex)
  lp_load_ex: refreshing parameters
[2015/08/02 22:58:47.297109,  3]
../source3/param/loadparm.c:564(init_globals)
  Initialising global parameters
[2015/08/02 22:58:47.297252,  3]
../source3/param/loadparm.c:2597(lp_do_section)
  Processing section "[global]"
[2015/08/02 22:58:47.298033,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[pub]"
[2015/08/02 22:58:47.298408,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[departments]"
[2015/08/02 22:58:47.298766,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[users]"
[2015/08/02 22:58:47.299116,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[konto]"
[2015/08/02 22:58:47.299464,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[trz]"
[2015/08/02 22:58:47.299826,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[shared]"
[2015/08/02 22:58:47.299957,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[scan-acct]"
[2015/08/02 22:58:47.300305,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[scan-production]"
[2015/08/02 22:58:47.300660,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[scan-trade]"
[2015/08/02 22:58:47.301021,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[scan-reception]"
[2015/08/02 22:58:47.301402,  3]
../source3/param/loadparm.c:1495(lp_add_ipc)
  adding IPC service
[2015/08/02 22:58:47.302583,  3]
../source3/smbd/password.c:144(register_homes_share)
  Adding homes service for user 'DOMAIN\myuser' using home directory:
'/home/DOMAIN/myuser'
[2015/08/02 22:58:47.303692,  3] ../source3/lib/access.c:338(allow_access)
  Allowed connection from 10.15.1.10 (10.15.1.10)
[2015/08/02 22:58:47.303821,  3]
../source3/smbd/service.c:614(make_connection_snum)
  Connect path is '/var/smb/shared' for service [shared]
[2015/08/02 22:58:47.303911,  3] ../source3/smbd/vfs.c:113(vfs_init_default)
  Initialising default vfs hooks
[2015/08/02 22:58:47.303941,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
[2015/08/02 22:58:47.303969,  3] ../source3/smbd/vfs.c:139(vfs_init_custom)
  Initialising custom vfs hooks from [zfsacl]
[2015/08/02 22:58:47.304777,  2]
../lib/util/modules.c:191(do_smb_load_module)
  Module 'zfsacl' loaded
[2015/08/02 22:58:47.305038,  3]
../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID @Administrators is not in a valid format
[2015/08/02 22:58:47.309850,  3]
../libcli/security/dom_sid.c:209(dom_sid_parse_endp)
  string_to_sid: SID @DOMAIN\Domain admins is not in a valid format
[2015/08/02 22:58:47.310846,  2] ../source3/smbd/uid.c:270(check_user_ok)
  check_user_ok: user DOMAIN\myuser is an admin user. Setting uid as 0
[2015/08/02 22:58:47.311107,  2]
../source3/smbd/service.c:862(make_connection_snum)
  10.15.1.10 (ipv4:10.15.1.10:63168) connect to service shared initially
as user DOMAIN\myuser (uid=0, gid=10006) (pid 19606)
[2015/08/02 22:58:47.312082,  3]
../source3/smbd/vfs.c:1143(check_reduced_name)
  check_reduced_name [desktop.ini] [/var/smb/shared]
[2015/08/02 22:58:47.312135,  3]
../source3/smbd/vfs.c:1273(check_reduced_name)
  check_reduced_name: desktop.ini reduced to /var/smb/shared/desktop.ini
[2015/08/02 22:58:47.312360,  3] ../source3/smbd/dosmode.c:196(unix_mode)
  unix_mode(desktop.ini) returning 0644

Here is an unsuccessful session (by \\IP):
[2015/08/02 22:59:03.126703,  3] ../source3/smbd/oplock.c:1306(init_oplocks)
  init_oplocks: initializing messages.
[2015/08/02 22:59:03.126841,  3] ../source3/smbd/process.c:1879(process_smb)
  Transaction 0 of length 159 (0 toread)
[2015/08/02 22:59:03.126882,  3]
../source3/smbd/process.c:1489(switch_message)
  switch message SMBnegprot (pid 19611) conn 0x0
[2015/08/02 22:59:03.127014,  3]
../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [PC NETWORK PROGRAM 1.0]
[2015/08/02 22:59:03.127045,  3]
../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [LANMAN1.0]
[2015/08/02 22:59:03.127068,  3]
../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [Windows for Workgroups 3.1a]
[2015/08/02 22:59:03.127090,  3]
../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [LM1.2X002]
[2015/08/02 22:59:03.127121,  3]
../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [LANMAN2.1]
[2015/08/02 22:59:03.127143,  3]
../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [NT LM 0.12]
[2015/08/02 22:59:03.127165,  3]
../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [SMB 2.002]
[2015/08/02 22:59:03.127186,  3]
../source3/smbd/negprot.c:575(reply_negprot)
  Requested protocol [SMB 2.???]
[2015/08/02 22:59:03.127371,  3]
../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_FF
[2015/08/02 22:59:03.129924,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'gssapi_spnego' registered
[2015/08/02 22:59:03.129983,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'gssapi_krb5' registered
[2015/08/02 22:59:03.130007,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'gssapi_krb5_sasl' registered
[2015/08/02 22:59:03.134188,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'sasl-DIGEST-MD5' registered
[2015/08/02 22:59:03.134265,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'spnego' registered
[2015/08/02 22:59:03.134289,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'schannel' registered
[2015/08/02 22:59:03.134312,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'naclrpc_as_system' registered
[2015/08/02 22:59:03.134340,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'sasl-EXTERNAL' registered
[2015/08/02 22:59:03.134381,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'ntlmssp' registered
[2015/08/02 22:59:03.134404,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'http_basic' registered
[2015/08/02 22:59:03.134426,  3]
../auth/gensec/gensec_start.c:885(gensec_register)
  GENSEC backend 'http_ntlm' registered
[2015/08/02 22:59:03.337949,  3]
../source3/smbd/negprot.c:683(reply_negprot)
  Selected protocol SMB 2.???
[2015/08/02 22:59:03.338430,  3]
../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_10
[2015/08/02 22:59:03.669244,  3]
../auth/ntlmssp/ntlmssp_util.c:34(debug_ntlmssp_flags)
  Got NTLMSSP neg_flags=0xe2088297
[2015/08/02 22:59:03.676620,  3]
../auth/ntlmssp/ntlmssp_server.c:359(ntlmssp_server_preauth)
  Got user=[myuser] domain=[DOMAIN] workstation=[WSNAME] len1=24 len2=230
[2015/08/02 22:59:03.676711,  3]
../source3/param/loadparm.c:3647(lp_load_ex)
  lp_load_ex: refreshing parameters
[2015/08/02 22:59:03.676862,  3]
../source3/param/loadparm.c:564(init_globals)
  Initialising global parameters
[2015/08/02 22:59:03.677014,  3]
../source3/param/loadparm.c:2597(lp_do_section)
  Processing section "[global]"
[2015/08/02 22:59:03.677817,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[pub]"
[2015/08/02 22:59:03.678176,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[departments]"
[2015/08/02 22:59:03.678552,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[users]"
[2015/08/02 22:59:03.678899,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[konto]"
[2015/08/02 22:59:03.679247,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[trz]"
[2015/08/02 22:59:03.679616,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[shared]"
[2015/08/02 22:59:03.679741,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[scan-acct]"
[2015/08/02 22:59:03.680097,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[scan-production]"
[2015/08/02 22:59:03.680446,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[scan-trade]"
[2015/08/02 22:59:03.680902,  2]
../source3/param/loadparm.c:2614(lp_do_section)
  Processing section "[scan-reception]"
[2015/08/02 22:59:03.681356,  3]
../source3/param/loadparm.c:1495(lp_add_ipc)
  adding IPC service
[2015/08/02 22:59:03.682265,  3]
../source3/auth/auth.c:178(auth_check_ntlm_password)
  check_ntlm_password:  Checking password for unmapped user
[DOMAIN]\[myuser]@[WSNAME] with the new password interface
[2015/08/02 22:59:03.682295,  3]
../source3/auth/auth.c:181(auth_check_ntlm_password)
  check_ntlm_password:  mapped user is: [DOMAIN]\[myuser]@[WSNAME]
[2015/08/02 22:59:03.729944,  2]
../source3/auth/auth.c:315(auth_check_ntlm_password)
  check_ntlm_password:  Authentication for user [myuser] -> [myuser]
FAILED with error NT_STATUS_ACCESS_DENIED
[2015/08/02 22:59:03.730020,  2]
../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_ACCESS_DENIED
[2015/08/02 22:59:03.730658,  3]
../source3/smbd/server_exit.c:246(exit_server_common)
  Server exit (NT_STATUS_CONNECTION_RESET)
[2015/08/02 22:59:03.735828,  3] ../source3/smbd/oplock.c:1306(init_oplocks)
  init_oplocks: initializing messages.
[2015/08/02 22:59:03.735962,  3] ../source3/smbd/process.c:1879(process_smb)
  Transaction 0 of length 108 (0 toread)
[2015/08/02 22:59:03.736140,  3]
../source3/smbd/smb2_negprot.c:211(smbd_smb2_request_process_negprot)
  Selected protocol SMB2_10


Hers is my smb4.conf:
# Global parameters
[global]
   netbios name = SERVER
   workgroup    = DOMAIN
   realm        = DOMAIN.LOCAL
   server string = Server
   security     = ADS
   encrypt passwords = Yes

   log level = 3
   log file = /var/log/samba4/log.%m
   max log size = 500

   hosts allow = 10.15. 127.0.0.1
   interfaces = localhost, re0
   bind interfaces only = Yes

  winbind trusted domains only  = no
  winbind use default domain    = no
  winbind enum users            = yes
  winbind enum groups           = yes
#  winbind refresh tickets = Yes
  winbind nested groups = Yes
  winbind expand groups = 10
#
# Samba 4.2 wbinfo works but getent no
#
require strong key = false
winbind sealed pipes = false
#client ldap sasl wrapping = plain


  idmap config *:backend        = tdb
  idmap config *:range          = 10000-2000000

  nsupdate command = /usr/local/bin/samba-nsupdate -g

  admin users = @Administrators, "@DOMAIN\Domain admins"

  vfs objects = zfsacl
  map acl inherit = yes
    ## Store DOS attributes in extended attributes (no mapping)
    map hidden = no
    map system = no
    map archive = no
    map readonly = no
    store dos attributes = no

    ## Extended attributes
    ea support = no

veto files = /*.eml/*.nws/*.{*}/
veto oplock files =
/*.doc/*.xls/*.docx/*.xlsx/*.mdb/*.dbf/*.pst/*.ntx/*.idx/*.cdx/*.db/*.y??/*.xg?/*.mb/*.val/*.px/*.lck/

Thanks in advance for any help.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20150802/f04389bd/signature.sig>


More information about the samba mailing list