Web lists-archives.com

Re: [Samba] Authentication method not the same between IP or DNS access




On Tue, 25 Jul 2017 11:32:34 +0200
Benjamin Bellec via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
> 
> I have a CentOS 7 server (up-to-date) which act as samba file share
> server. It's integrated in my AD realm. This have been done with the
> realm tool. The AD integration works fine, I can even log through SSH
> with my personal Windows AD account.
> 
> The samba share works fine too from Windows 7 only if I try to access
> it by specifying the AD hostname. Let me explains.
> - The server has an IP address
> - The short hostname configured in Linux is "myserver"
> - My realm is "MYDOMAIN.local"
> - The server has a hostname visible in the AD :
> "myserver.mydomain.local"
> - The server has a static hostname defined manually on the AD : "
> myserver.mydomain.com"
> 
> I can ping everything correctly : by ip, with
> "myserver.mydomain.local" and with "myserver.mydomain.com"
> 
> From Windows 7 :
> - I'm able to access the share if I try to connect to the server using
> "myserver.mydomain.local"
> - I'm unable to access the share if I try to connect to the server
> using " myserver.mydomain.com"
> - I'm unable to access the share if I try to connect to the server
> using the IP address
> 
> In the last 2 cases, a window asking for credentials pops-up. Even if
> I enter correct credentials, the logon is a failure.
> 
> I caught a packet trace with Wireshark.
> It looks like if I use "myserver.mydomain.local", Kerberos is used
> for the authentication and it works fine.
> But if I use the IP or "myserver.mydomain.com", it negotiate NTLM SSP
> authentication and this doesn't works.
> 
> Also, I tried from a Fedora 25 computer (which is not part of the
> realm), and it negotiate NTLM in all 3 cases, and fails in all 3
> cases then.
> 
> So, do you have an idea why NTLM auth fails ?
> And moreover why the authentication mechanism is different according
> to the address used for the connection ?
> 
> FYI, I have a CentOS 6 server used for samba file share, and it works
> fine with all 3 type of access.
> 
> --
> *Benjamin*

I take it you missed that it isn't a good idea to us '.local' ?
Try turning Avahi off.

Your fileserver should also be in the same DNS domain as the realm
Do you have  a reverse zone ?
NTLM is very deprecated, try another auth method, NTLMv2 ?

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba