[Samba] Authentication method not the same between IP or DNS access

Benjamin Bellec b.bellec at gmail.com
Tue Jul 25 14:58:16 UTC 2017


I reply below :

2017-07-25 11:59 GMT+02:00 L.P.H. van Belle <belle at bazuin.nl>:

> This is clearly a setup problem but without the smb.conf, resolv.conf,
> hosts file.
>

You will find the file in attachments.


> But i'll give it a try.
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> > Benjamin Bellec via samba
> > Verzonden: dinsdag 25 juli 2017 11:33
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Authentication method not the same between
> > IP or DNS access
> >
> > Hello,
> >
> > I have a CentOS 7 server (up-to-date) which act as samba file
> > share server.
> > It's integrated in my AD realm. This have been done with the
> > realm tool.
> > The AD integration works fine, I can even log through SSH
> > with my personal Windows AD account.
> Great, this means you uid/gid setup is correct.
> ( double check : id usersname && getent passwd username  )
>
>
It works both.


> >
> > The samba share works fine too from Windows 7 only if I try
> > to access it by specifying the AD hostname. Let me explains.
> > - The server has an IP address
> > - The short hostname configured in Linux is "myserver"
> > - My realm is "MYDOMAIN.local"
> > - The server has a hostname visible in the AD :
> > "myserver.mydomain.local"
> > - The server has a static hostname defined manually on the AD : "
> > myserver.mydomain.com"
> If you have 1 ipnumer but you use multiple hostnames, remove the static
> hostname
> And create a CNAME to the original hostname, this make sure A/PTR
> resolving is correct.
>
>
The server has only 1 IP number.
So I removed my static A entry and instead created a CNAME entry "
myserver.mydomain.com" to match "myserver.mydomain.local"



> If you server has 2 ipnumers, then that should be ok, if dns is correctly
> setup.
> But you should configure krb5.conf to make you .mydomain.com known within
> your REALM.
>
> >
> > I can ping everything correctly : by ip, with
> > "myserver.mydomain.local" and with "myserver.mydomain.com"
> >
> > From Windows 7 :
> > - I'm able to access the share if I try to connect to the
> > server using "myserver.mydomain.local"
> > - I'm unable to access the share if I try to connect to the
> > server using " myserver.mydomain.com"
> Try also the complete path: \\server\share
>
>
Same result with \\server or \\server\share


> - I'm unable to access the share if I try to connect to the
> server using the IP address
Try also the complete path: \\ip\share
>
> In the last 2 cases, a window asking for credentials pops-up.
> Even if I enter correct credentials, the logon is a failure.

Read this to get the understanding why this happens.
https://docs.microsoft.com/en-us/windows/device-security/sec
urity-policy-settings/network-security-lan-manager-authentication-level
And

>
> I caught a packet trace with Wireshark.
> It looks like if I use "myserver.mydomain.local", Kerberos is
> used for the authentication and it works fine.
> But if I use the IP or "myserver.mydomain.com", it negotiate
> NTLM SSP authentication and this doesn't works.
>
> Also, I tried from a Fedora 25 computer (which is not part of
> the realm), and it negotiate NTLM in all 3 cases, and fails
> in all 3 cases then.
>
> So, do you have an idea why NTLM auth fails ?Because MS
> And moreover why the authentication mechanism is different
> according to the address used for the connection ?
>
> FYI, I have a CentOS 6 server used for samba file share, and
> it works fine with all 3 type of access.
>
> --
> *Benjamin*
> --

2017-07-25 12:02 GMT+02:00 L.P.H. van Belle via samba <samba at lists.samba.org
>:

> Hai Benjamin,
>
> This is clearly a setup problem but without the smb.conf, resolv.conf,
> hosts file is hard to see whats wrong.
> But i'll give it a try.
>
>
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Benjamin
> > Bellec via samba
> > Verzonden: dinsdag 25 juli 2017 11:33
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Authentication method not the same between IP or
> > DNS access
> >
> > Hello,
> >
> > I have a CentOS 7 server (up-to-date) which act as samba file share
> > server.
> > It's integrated in my AD realm. This have been done with the realm
> > tool.
> > The AD integration works fine, I can even log through SSH with my
> > personal Windows AD account.
> Great, this means you uid/gid setup is correct.
> ( double check : id usersname && getent passwd username  )
>
> >
> > The samba share works fine too from Windows 7 only if I try to access
> > it by specifying the AD hostname. Let me explains.
> > - The server has an IP address
> > - The short hostname configured in Linux is "myserver"
> > - My realm is "MYDOMAIN.local"
> > - The server has a hostname visible in the AD :
> > "myserver.mydomain.local"
> > - The server has a static hostname defined manually on the AD : "
> > myserver.mydomain.com"
> If you have 1 ipnumer but you use multiple hostnames, remove the static
> hostname And create a CNAME to the original hostname, this make sure A/PTR
> resolving is correct.
>
> If you server has 2 ipnumers, then that should be ok, if dns is correctly
> setup.
> But you should configure krb5.conf to make you .mydomain.com known within
> your REALM.
>
> >
> > I can ping everything correctly : by ip, with
> > "myserver.mydomain.local" and with "myserver.mydomain.com"
> >
> > From Windows 7 :
> > - I'm able to access the share if I try to connect to the server using
> > "myserver.mydomain.local"
> > - I'm unable to access the share if I try to connect to the server
> > using " myserver.mydomain.com"
> Try also the complete path: \\server\share
>
> > - I'm unable to access the share if I try to connect to the server
> > using the IP address
> Try also the complete path: \\ip\share
> >
> > In the last 2 cases, a window asking for credentials pops-up.
> > Even if I enter correct credentials, the logon is a failure.
>
> Read this to get the understanding why this happens.
> https://docs.microsoft.com/en-us/windows/device-security/
> security-policy-settings/network-security-lan-manager-authentication-level
> And
> https://support.microsoft.com/en-us/help/3181029/smb-file-
> server-share-access-is-unsuccessful-through-dns-cname-alias
>
> >
> > I caught a packet trace with Wireshark.
> > It looks like if I use "myserver.mydomain.local", Kerberos is used for
> > the authentication and it works fine.
> > But if I use the IP or "myserver.mydomain.com", it negotiate NTLM SSP
> > authentication and this doesn't works.
> >
> > Also, I tried from a Fedora 25 computer (which is not part of the
> > realm), and it negotiate NTLM in all 3 cases, and fails in all 3 cases
> > then.
> >
> > So, do you have an idea why NTLM auth fails ?Because MS And moreover
> > why the authentication mechanism is different according to the address
> > used for the connection ?
> >
> > FYI, I have a CentOS 6 server used for samba file share, and it works
> > fine with all 3 type of access.
> >
> > --
> > *Benjamin*
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


More information about the samba mailing list