thr3ads.net - samba - [Samba] Can access shares by IP, not by hostname from Windows clients (AD, W2K8 R2, Linux, Samba 3.6.1, KRB) [Jan 2012]

If this information is useful, please help other people find it:
Share via:
Guido Leenders
2012-Jan-06 20:39 UTC
[Samba] Can access shares by IP, not by hostname from Windows clients (AD, W2K8 R2, Linux, Samba 3.6.1, KRB)

Hello,

I am running a Samba version 3.6.1 and since several months we can no longer
access shares on that server by hostname. This only occurs for Windows clients
(Windows 2008 R2, Windows 7). For Apple MacOS 10.5 and Linux clients, we can
access the shares by \\ws86<file:///\\ws86> using Active Directory
registered passwords. For Windows, we must use
\\192.168.172.26<file:///\\192.168.172.26>. Neither
\\ws86<file:///\\ws86> nor \\WS86<file:///\\WS86> works.

The only IP address of ws86 is 192.168.172.26. Netbios is also enabled, but of
course there is an Active Directory environment. Active Directory is also used
for security (see smb.conf). Winbind not running, smb and nmb are. Successfully
kinit-ed and joined domain.

Logging contains:
[2012/01/06 21:16:11.824330,  1] smbd/sesssetup.c:342(reply_spnego_kerberos)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

With debugging on level 15, typical errors include (samba log with level 15 is
too large to post here):
  libads/kerberos_verify.c:248:
krb5_rd_req_return_keyblock_from_keytab(host/ws86.invantive.local at
INVANTIVE.LOCAL) failed: Wrong principal in request

and

  libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Bad
encryption type
[2012/01/06 21:16:50.593758, 10]
libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [1] failed to decrypt with error Bad
encryption type
[2012/01/06 21:16:50.593846, 10]
libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [3] failed to decrypt with error Bad
encryption type
[2012/01/06 21:16:50.593929, 10]
libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Bad
encryption type
[2012/01/06 21:16:50.594012, 10]
libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [1] failed to decrypt with error Bad
encryption type
[2012/01/06 21:16:50.594094, 10]
libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [3] failed to decrypt with error Bad
encryption type

I have tried various enctypes. Made changes to allowed enctypes on 2008 R2
active directory server. No success. Even with experience back to Samba 2.0,
this is too hard for me.

Can someone provide me with a hint or pointer?

Regards,

Guido

--

[global]
workgroup = INVANTIVE
realm = INVANTIVE.LOCAL
security = ads
kerberos method=secrets and keytab
template shell = /bin/ksh
winbind use default domain = true
winbind offline logon = false
debuglevel=1
password server = ws54
winbind enum groups = yes
winbind enum users = yes
winbind nested groups = yes
winbind separator = +
server string = Samba %v
interfaces = lo eth0 192.168.172.26/24
passdb backend = tdbsam
dns proxy = yes
cups options = raw
username map = /etc/samba/smbusers
[homes]
comment = Home Directories
browseable = no
writable = yes
inherit acls = yes
delete readonly = yes
create mask = 0600
directory mask = 0700
oplocks = yes
force create mode = 0600
force directory mode = 0700
valid users = %S,INVANTIVE\Administrator,root,INVANTIVE\!gle3
force user = %S
hide files = /desktop.ini/$RECYCLE.BIN/
include=/etc/samba/smb.conf.invantive

--

root at ws86:/etc/samba# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  22 host/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 host/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 host/ws86.invantive.local at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  22 host/ws86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 host/ws86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 host/ws86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  22 WS86$@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 WS86$@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 WS86$@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  13 ws86/Administrator at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  13 ws86/Administrator at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  13 ws86/Administrator at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
   3 host/WS86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
   3 host/WS86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
   3 host/WS86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  22 ws86/ws86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 ws86/ws86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 ws86/ws86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 WS86$@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 WS86$@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
   3 ws86/WS86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  14 ws86/Administrator at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  14 ws86/Administrator at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  14 ws86/Administrator at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  22 ws86/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 ws86/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 ws86/ws86.invantive.local at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 host/ws86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 host/ws86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  21 host/ws86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
   3 ws86/WS86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
   3 ws86/WS86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 host/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 ws86/ws86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 ws86/ws86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  21 WS86$@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 host/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  21 host/ws86.invantive.local at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 ws86/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 ws86/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  21 ws86/ws86.invantive.local at INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 ws86/ws86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5)

--

net view \\ws86
System error 5 has occurred.

Access is denied.

net view \\192.168.172.26
Shared resources at \\192.168.172.26

Samba 3.6.1

Share name            Type  Used as  Comment

-------------------------------------------------------------------------------
backup                Disk           Backup
...
The command completed successfully.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: krb5.conf
URL:
<http://lists.samba.org/pipermail/samba/attachments/20120106/4ca60da6/attachment.ksh>
samba - Jan 2012 - Can access shares by IP, not by hostname from Windows clients (AD, W2K8 R2, Linux, Samba 3.6.1, KRB)

[Samba] Can access shares by IP, not by hostname from Windows clients (AD, W2K8 R2, Linux, Samba 3.6.1, KRB)
