[Samba] Logging into Linux from Domain-joined Win10 desktop works for hostnames, not VIPs
vincent at cojot.name
vincent at cojot.name
Sun Jun 6 01:27:56 UTC 2021
I think I figured it out and in fact the solution was on the samba AD DC.
Here's my setup:
- dc00/dc01 (two small VMs running RHEL7.9 + samba AD/DC custom rpms)
- hypervisor1/2/3 : machines running RHEL8.4 with the RH-provided samba rpms
- a few Win10 endpoints (laptops), a few Fedora endpoints (laptops) and no
Macs. One Win10 VM for the purpose of running some things, including RSAT.
My son was trying to PuTTY/ssh from his Win10 machine to one of the VIPs
carried by one of the hypervisors. It worked when connecting to
<machine1.lasthome.solace.krynn> but not for
Here's what I did:
1) went into 'Active Directory Users and Computes' from my Win10 VM (I
used it to edit Policies for the Win10 endpoints in our domain).
2) View -> Advanced features - Select host (one of the hypervisors)
3) Attribute Editor -> edit servicePrincipalName
There, I added these records:
4) restarted sshd on machine1
After that, things started to work and it was now possible for him to
PuTTY ssh directly to the VIP by using the floating IP name (this is
required because all 3 hypervisors form a cluster and VIPs fail over from
one machine to the other) e.g: floating.lasthome.solace.krynn could be
carried by any of the 3 hypervisors.
Vincent S. Cojot, Computer Engineering. STEP project. _.,-*~'`^`'~*-,._.,-*~
Ecole Polytechnique de Montreal, Comite Micro-Informatique. _.,-*~'`^`'~*-,.
Linux Xview/OpenLook resources page _.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'
http://step.polymtl.ca/~coyote _.,-*~'`^`'~*-,._ coyote at NOSPAM4cojot.name
They cannot scare me with their empty spaces
Between stars - on stars where no human race is
I have it in me so much nearer home
To scare myself with my own desert places. - Robert Frost
On Sat, 5 Jun 2021, Vincent S. Cojot via samba wrote:
> I just tested this and it's entirely similar:
> I can PuTTY without a password prompt to <hostname1.lasthome.solace.krynn>
> or <hostname1.ad.lasthome.solace.krynn>
> If I try to PuTTY to <floating1.lasthome.solace.krynn>, or
> <floating1.ad.lasthome.solace.krynn> it prompts for a password.
> The servers are running RHEL8.4.
> I probably need to run 'net ads keytab <something>' so I'll be trying to
> figure out the 'something' part.. :)
> Sorry again for the noise,
> On Sat, 5 Jun 2021, Vincent S. Cojot via samba wrote:
>> Hi Rowland,
>> You are 100% right and perhaps what I am seeing in only sssd stuff. I've
>> been able to locate a BZ (#1) talking about something similar so perhaps I
>> only need to 'net ads keytab add' on the Linux hosts.
>> Sorry for the noise,
>> #1: https://bugzilla.redhat.com/show_bug.cgi?id=1529301
>> On Sat, 5 Jun 2021, Rowland penny via samba wrote:
>>> On 05/06/2021 20:56, Vincent S. Cojot via samba wrote:
>>>> Hi All,
>>>> I've observed some strange thing and I know too little about Windows
>>>> figure out what's going on so I would love it if someone could shed
>>>> Here's the thing:
>>>> From a win10 desktop, I PuTTY ssh to a server if I use PuTTY with the
>>>> remote server's hostname but if I use a VIP hosted on the same server,
>>>> user gets prompted for a UNIX password (I'm not using SSH keys in this
>>>> environment, only plain AD with bind).
>>>> In more detail:
>>>> my RHEL servers are joined to the domain using this:
>>>> # realm list
>>>> type: kerberos
>>>> realm-name: AD.LASTHOME.SOLACE.KRYNN
>>>> domain-name: ad.lasthome.solace.krynn
>>>> configured: kerberos-member
>>>> server-software: active-directory
>>>> client-software: sssd
>>>> required-package: oddjob
>>>> required-package: oddjob-mkhomedir
>>>> required-package: sssd
>>>> required-package: adcli
>>>> required-package: samba-common-tools
>>>> login-formats: %U
>>>> login-policy: allow-realm-logins
>>>> From any Windows10 desktop in the home, I can PuTTY without a password
>>>> prompt to <hostname1.lasthome.solace.krynn>.
>>>> If I try to PuTTY to <floating1.lasthome.solace.krynn>, my user gets
>>>> prompted for its password.
>>>> Any ideas? I'm just stumped.. (I don't use Win10 but some of my
>>>> do and one has a need to ssh from it to a Linux box).
>>>> Thank you,
>>> you appear to be trying to connect to 'floating1.lasthome.solace.krynn'
>>> but your AD dns domain appears to be 'ad.lasthome.solace.krynn', so of
>>> course you are going to get asked for a password.
>>> Can I ask where Samba comes into this ? If there are shares involved and
>>> the Samba version is >= 4.8.0, then you shouldn't be using sssd etc, but
>>> if you just want authentication, then you don't need Samba, you can just
>>> use sssd.
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba