samba - Mar 2011 - Mounting samba volume by IP fails trust in AD

Hi.

I've got some samba servers (3.0.33-3.29.el5_6.2, on redhat 5) that join a
windows 2003 AD.

When mounting the volume from a windows workstation, if I use
\\ip.address.here
it fails saying "The trust relationship between this workstation and the
primary domain failed'"

If I mount with \\fully.qualified.name it works just fine. Forward and
reverse DNS match, and
\\ip.address.here works for a microsoft box but not any of the samba boxes.

When I check the smbd.log, I never see the failed connections at the samba
box, only the ones
that worked with FQDN, which to me suggests the failure happens because AD
isn't passing the
connection to samba, which my AD admins say is because something in samba
isn't working like
windows, so the AD doesn't pass the request to the samba box because it
doesn't look right to AD.

my smbd.conf is :
--------------------
# Global parameters
[global]
        workgroup = MYDOMAIN
        security = ADS
        realm = MY.DOMAIN
        load printers = No
        printing = bsd
        preferred master = No
        domain master = No
        local master = no
        os level = 0
        wins server = xxx.xxx.xxx.xxx
        ldap ssl = no
        browseable = yes
        restrict anonymous = yes
        guest account = nobody
        invalid users = nobody
        encrypt passwords = yes

[homes]
        comment = Home Directories
        writeable = Yes
        browseable = No
---------------------------

Any idea why IP mount fails trust with 2003 AD but Name would be ok?
Is this a microsoft-ism to hate on samba, or am I missing something in my
config?

Does this fail for everyone or just me?

test: start>run:  \\ip.of.samba.box
       start>run:  \\dns.name.of.box

if you have browse, it should show the available shares.

I have run into issues where by IP it worked, but not by name (this was 
with one particular samba server, with VPN clients, with WINS and 
Netbios not enabled over VPN.)   So it does seem possible that the 
server handles requests based on name and IP differently.


Are all machines (samba, win 2003, clients) pointing to the same WINS 
server?
Are all machines pointing to the same DNS server?
Is the AD DC the WINS and DNS server?

Does the AD domain name space match the DNS domain name space?

Does the samba server krb5.conf have entries for the AD DC?  (Not sure 
if this is really necessary.)

In smb.conf, what is "name resolve order" set to?

On 03/30/2011 10:42 AM, Walt Park wrote:
> Hi.
>
> I've got some samba servers (3.0.33-3.29.el5_6.2, on redhat 5) that
join a
> windows 2003 AD.
>
> When mounting the volume from a windows workstation, if I use
> \\ip.address.here
> it fails saying "The trust relationship between this workstation and
the
> primary domain failed'"
>
> If I mount with \\fully.qualified.name it works just fine. Forward and
> reverse DNS match, and
> \\ip.address.here works for a microsoft box but not any of the samba boxes.
>
> When I check the smbd.log, I never see the failed connections at the samba
> box, only the ones
> that worked with FQDN, which to me suggests the failure happens because AD
> isn't passing the
> connection to samba, which my AD admins say is because something in samba
> isn't working like
> windows, so the AD doesn't pass the request to the samba box because it
> doesn't look right to AD.
>
> my smbd.conf is :
> --------------------
> # Global parameters
> [global]
>          workgroup = MYDOMAIN
>          security = ADS
>          realm = MY.DOMAIN
>          load printers = No
>          printing = bsd
>          preferred master = No
>          domain master = No
>          local master = no
>          os level = 0
>          wins server = xxx.xxx.xxx.xxx
>          ldap ssl = no
>          browseable = yes
>          restrict anonymous = yes
>          guest account = nobody
>          invalid users = nobody
>          encrypt passwords = yes
>
> [homes]
>          comment = Home Directories
>          writeable = Yes
>          browseable = No
> ---------------------------
>
> Any idea why IP mount fails trust with 2003 AD but Name would be ok?
> Is this a microsoft-ism to hate on samba, or am I missing something in my
> config?
>
> Does this fail for everyone or just me?
>
> test: start>run:  \\ip.of.samba.box
>         start>run:  \\dns.name.of.box
>
> if you have browse, it should show the available shares.
>

On Wed, Mar 30, 2011 at 09:42:33AM -0500, Walt Park
wrote:
> Any idea why IP mount fails trust with 2003 AD but Name would be ok?
> Is this a microsoft-ism to hate on samba, or am I missing something in my
> config?
It's possible that via name you're using kerberos but via ip
you're using ntlm. In the kerberos case Samba does not have
to ask the DC, in the ntlm case it does.

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen

Well.. all my samba boxes are behaving the same way.
When joined to the AD, they work when addressed by name, but
fail trust with the AD when addressed by IP. AD is controlled
by windows 2003, not by samba. I'm pretty sure if I made a samba
PDC, I could get this to work, but I can't because that's not our
architecture here.

I have a mixture of a couple different versions on both
solaris and linux, and they all seem to behave the same.

All the samba boxes use the same wins, which is the  PDC.
They also use a mix of DNS, for a couple of internal reasons,
but for name/ip in regards to the AD, they will get the same
responses because of the way delegation is setup among name servers.

The AD does not run it's own name space and defers to the bind
clusters for dns.

The krb5.conf does point to the AD, as samba is the only thing
on these boxes that use kerberos.

name resolve order is not explicitly set, so defaults to
lmhosts host wins bcast

Anyway, the samba servers are not seeing the connection attempt when
they get the trust failure error. The AD seems to be rejecting the
connection attempt and not directing the connection to the samba box.

When I use a FQDN, I see the connection attempt, and it works fine. It's
only when I use IP.

We have a security scanner that is failing because it is using IP since
that's how it's network discovery works, which is what I'm trying to
fix.

In answer to vandal: Yes, they are A/PTR records, and not cname.