[Samba] Authentication method not the same between IP or DNS access
b.bellec at gmail.com
Tue Jul 25 09:32:34 UTC 2017
I have a CentOS 7 server (up-to-date) which act as samba file share server.
It's integrated in my AD realm. This have been done with the realm tool.
The AD integration works fine, I can even log through SSH with my personal
Windows AD account.
The samba share works fine too from Windows 7 only if I try to access it by
specifying the AD hostname. Let me explains.
- The server has an IP address
- The short hostname configured in Linux is "myserver"
- My realm is "MYDOMAIN.local"
- The server has a hostname visible in the AD : "myserver.mydomain.local"
- The server has a static hostname defined manually on the AD : "
I can ping everything correctly : by ip, with "myserver.mydomain.local" and
>From Windows 7 :
- I'm able to access the share if I try to connect to the server using
- I'm unable to access the share if I try to connect to the server using "
- I'm unable to access the share if I try to connect to the server using
the IP address
In the last 2 cases, a window asking for credentials pops-up. Even if I
enter correct credentials, the logon is a failure.
I caught a packet trace with Wireshark.
It looks like if I use "myserver.mydomain.local", Kerberos is used for the
authentication and it works fine.
But if I use the IP or "myserver.mydomain.com", it negotiate NTLM SSP
authentication and this doesn't works.
Also, I tried from a Fedora 25 computer (which is not part of the realm),
and it negotiate NTLM in all 3 cases, and fails in all 3 cases then.
So, do you have an idea why NTLM auth fails ?
And moreover why the authentication mechanism is different according to the
address used for the connection ?
FYI, I have a CentOS 6 server used for samba file share, and it works fine
with all 3 type of access.
More information about the samba