[Samba] Authentication method not the same between IP or DNS access

[Benjamin Bellec]

Hello,

I have a CentOS 7 server (up-to-date) which act as samba file share server.
It's integrated in my AD realm. This have been done with the realm tool.
The AD integration works fine, I can even log through SSH with my personal
Windows AD account.

The samba share works fine too from Windows 7 only if I try to access it by
specifying the AD hostname. Let me explains.
- The server has an IP address
- The short hostname configured in Linux is "myserver"
- My realm is "MYDOMAIN.local"
- The server has a hostname visible in the AD : "myserver.mydomain.local"
- The server has a static hostname defined manually on the AD : "
myserver.mydomain.com"

I can ping everything correctly : by ip, with "myserver.mydomain.local" and
with "myserver.mydomain.com"

>From Windows 7 :
- I'm able to access the share if I try to connect to the server using
"myserver.mydomain.local"
- I'm unable to access the share if I try to connect to the server using "
myserver.mydomain.com"
- I'm unable to access the share if I try to connect to the server using
the IP address

In the last 2 cases, a window asking for credentials pops-up. Even if I
enter correct credentials, the logon is a failure.

I caught a packet trace with Wireshark.
It looks like if I use "myserver.mydomain.local", Kerberos is used for the
authentication and it works fine.
But if I use the IP or "myserver.mydomain.com", it negotiate NTLM SSP
authentication and this doesn't works.

Also, I tried from a Fedora 25 computer (which is not part of the realm),
and it negotiate NTLM in all 3 cases, and fails in all 3 cases then.

So, do you have an idea why NTLM auth fails ?
And moreover why the authentication mechanism is different according to the
address used for the connection ?

FYI, I have a CentOS 6 server used for samba file share, and it works fine
with all 3 type of access.

--
*Benjamin*