Web lists-archives.com

Re: [Samba] Clients cannot auth to server 2012 with MIT DC




Any pointers here? I've poked this a bit more but haven't come up with any
more clues as to why Windows is rejecting the tickets.

On Sun, Apr 1, 2018 at 9:59 PM, Ryan Bair <ryandbair@xxxxxxxxx> wrote:

> I've been playing with a MIT powered DC. There are two DCs, an existing
> Heimdal based one running Samba 4.5 and a new MIT based one running 4.7.6.
>
> There are clients running Windows 7 and 10, a 2012R2 server, and a Samba
> 4.5 file server.
>
> Once the new MIT DC is brought online, clients can no longer connect to
> the Windows server by hostname. Connections still work via IP address which
> makes me suspect a Kerberos issue. Shutting down the MIT DC allows the
> clients to connect again.
>
> Packet captures show that clients are getting STATUS_ACCESS_DENIED while
> attempting to connect. This pops open a password dialog on the client,
> entering the credentials there causes the client to issue a TGS to the MIT
> DC, which gives a successful response, but the Windows server again denies
> access.
>
> On the Windows Server, I see an error 551 (authentication) in failure
> cases. Somewhat interesting is that the error has FULL.DOMAIN.NAME/user
> as the user versus the usual case of WORKGROUP/user.
>
> Any help would be appreciated.
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba