[Samba] Authentication method not the same between IP or DNS access
L.P.H. van Belle
belle at bazuin.nl
Tue Jul 25 10:02:02 UTC 2017
Hai Benjamin,
This is clearly a setup problem but without the smb.conf, resolv.conf, hosts file is hard to see whats wrong.
But i'll give it a try.
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Benjamin
> Bellec via samba
> Verzonden: dinsdag 25 juli 2017 11:33
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Authentication method not the same between IP or
> DNS access
>
> Hello,
>
> I have a CentOS 7 server (up-to-date) which act as samba file share
> server.
> It's integrated in my AD realm. This have been done with the realm
> tool.
> The AD integration works fine, I can even log through SSH with my
> personal Windows AD account.
Great, this means you uid/gid setup is correct.
( double check : id usersname && getent passwd username )
>
> The samba share works fine too from Windows 7 only if I try to access
> it by specifying the AD hostname. Let me explains.
> - The server has an IP address
> - The short hostname configured in Linux is "myserver"
> - My realm is "MYDOMAIN.local"
> - The server has a hostname visible in the AD :
> "myserver.mydomain.local"
> - The server has a static hostname defined manually on the AD : "
> myserver.mydomain.com"
If you have 1 ipnumer but you use multiple hostnames, remove the static hostname And create a CNAME to the original hostname, this make sure A/PTR resolving is correct.
If you server has 2 ipnumers, then that should be ok, if dns is correctly setup.
But you should configure krb5.conf to make you .mydomain.com known within your REALM.
>
> I can ping everything correctly : by ip, with
> "myserver.mydomain.local" and with "myserver.mydomain.com"
>
> From Windows 7 :
> - I'm able to access the share if I try to connect to the server using
> "myserver.mydomain.local"
> - I'm unable to access the share if I try to connect to the server
> using " myserver.mydomain.com"
Try also the complete path: \\server\share
> - I'm unable to access the share if I try to connect to the server
> using the IP address
Try also the complete path: \\ip\share
>
> In the last 2 cases, a window asking for credentials pops-up.
> Even if I enter correct credentials, the logon is a failure.
Read this to get the understanding why this happens.
https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/network-security-lan-manager-authentication-level
And
https://support.microsoft.com/en-us/help/3181029/smb-file-server-share-access-is-unsuccessful-through-dns-cname-alias
>
> I caught a packet trace with Wireshark.
> It looks like if I use "myserver.mydomain.local", Kerberos is used for
> the authentication and it works fine.
> But if I use the IP or "myserver.mydomain.com", it negotiate NTLM SSP
> authentication and this doesn't works.
>
> Also, I tried from a Fedora 25 computer (which is not part of the
> realm), and it negotiate NTLM in all 3 cases, and fails in all 3 cases
> then.
>
> So, do you have an idea why NTLM auth fails ?Because MS And moreover
> why the authentication mechanism is different according to the address
> used for the connection ?
>
> FYI, I have a CentOS 6 server used for samba file share, and it works
> fine with all 3 type of access.
>
> --
> *Benjamin*
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list