Guido Leenders
2012-Jan-06 20:39 UTC
[Samba] Can access shares by IP, not by hostname from Windows clients (AD, W2K8 R2, Linux, Samba 3.6.1, KRB)
Hello, I am running a Samba version 3.6.1 and since several months we can no longer access shares on that server by hostname. This only occurs for Windows clients (Windows 2008 R2, Windows 7). For Apple MacOS 10.5 and Linux clients, we can access the shares by \\ws86<file:///\\ws86> using Active Directory registered passwords. For Windows, we must use \\192.168.172.26<file:///\\192.168.172.26>. Neither \\ws86<file:///\\ws86> nor \\WS86<file:///\\WS86> works. The only IP address of ws86 is 192.168.172.26. Netbios is also enabled, but of course there is an Active Directory environment. Active Directory is also used for security (see smb.conf). Winbind not running, smb and nmb are. Successfully kinit-ed and joined domain. Logging contains: [2012/01/06 21:16:11.824330, 1] smbd/sesssetup.c:342(reply_spnego_kerberos) Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE! With debugging on level 15, typical errors include (samba log with level 15 is too large to post here): libads/kerberos_verify.c:248: krb5_rd_req_return_keyblock_from_keytab(host/ws86.invantive.local at INVANTIVE.LOCAL) failed: Wrong principal in request and libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Bad encryption type [2012/01/06 21:16:50.593758, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket) libads/kerberos_verify.c:429: enc type [1] failed to decrypt with error Bad encryption type [2012/01/06 21:16:50.593846, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket) libads/kerberos_verify.c:429: enc type [3] failed to decrypt with error Bad encryption type [2012/01/06 21:16:50.593929, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket) libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Bad encryption type [2012/01/06 21:16:50.594012, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket) libads/kerberos_verify.c:429: enc type [1] failed to decrypt with error Bad encryption type [2012/01/06 21:16:50.594094, 10] libads/kerberos_verify.c:429(ads_secrets_verify_ticket) libads/kerberos_verify.c:429: enc type [3] failed to decrypt with error Bad encryption type I have tried various enctypes. Made changes to allowed enctypes on 2008 R2 active directory server. No success. Even with experience back to Samba 2.0, this is too hard for me. Can someone provide me with a hint or pointer? Regards, Guido -- [global] workgroup = INVANTIVE realm = INVANTIVE.LOCAL security = ads kerberos method=secrets and keytab template shell = /bin/ksh winbind use default domain = true winbind offline logon = false debuglevel=1 password server = ws54 winbind enum groups = yes winbind enum users = yes winbind nested groups = yes winbind separator = + server string = Samba %v interfaces = lo eth0 192.168.172.26/24 passdb backend = tdbsam dns proxy = yes cups options = raw username map = /etc/samba/smbusers [homes] comment = Home Directories browseable = no writable = yes inherit acls = yes delete readonly = yes create mask = 0600 directory mask = 0700 oplocks = yes force create mode = 0600 force directory mode = 0700 valid users = %S,INVANTIVE\Administrator,root,INVANTIVE\!gle3 force user = %S hide files = /desktop.ini/$RECYCLE.BIN/ include=/etc/samba/smb.conf.invantive -- root at ws86:/etc/samba# klist -ke Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 22 host/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with CRC-32) 22 host/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 22 host/ws86.invantive.local at INVANTIVE.LOCAL (ArcFour with HMAC/md5) 22 host/ws86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32) 22 host/ws86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 22 host/ws86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5) 22 WS86$@INVANTIVE.LOCAL (DES cbc mode with CRC-32) 22 WS86$@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 22 WS86$@INVANTIVE.LOCAL (ArcFour with HMAC/md5) 13 ws86/Administrator at INVANTIVE.LOCAL (DES cbc mode with CRC-32) 13 ws86/Administrator at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 13 ws86/Administrator at INVANTIVE.LOCAL (ArcFour with HMAC/md5) 3 host/WS86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32) 3 host/WS86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 3 host/WS86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5) 22 ws86/ws86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32) 22 ws86/ws86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 22 ws86/ws86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5) 21 WS86$@INVANTIVE.LOCAL (DES cbc mode with CRC-32) 21 WS86$@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 3 ws86/WS86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32) 14 ws86/Administrator at INVANTIVE.LOCAL (DES cbc mode with CRC-32) 14 ws86/Administrator at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 14 ws86/Administrator at INVANTIVE.LOCAL (ArcFour with HMAC/md5) 22 ws86/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with CRC-32) 22 ws86/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 22 ws86/ws86.invantive.local at INVANTIVE.LOCAL (ArcFour with HMAC/md5) 21 host/ws86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32) 21 host/ws86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 21 host/ws86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5) 3 ws86/WS86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 3 ws86/WS86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5) 21 host/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with CRC-32) 21 ws86/ws86 at INVANTIVE.LOCAL (DES cbc mode with CRC-32) 21 ws86/ws86 at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 21 WS86$@INVANTIVE.LOCAL (ArcFour with HMAC/md5) 21 host/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 21 host/ws86.invantive.local at INVANTIVE.LOCAL (ArcFour with HMAC/md5) 21 ws86/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with CRC-32) 21 ws86/ws86.invantive.local at INVANTIVE.LOCAL (DES cbc mode with RSA-MD5) 21 ws86/ws86.invantive.local at INVANTIVE.LOCAL (ArcFour with HMAC/md5) 21 ws86/ws86 at INVANTIVE.LOCAL (ArcFour with HMAC/md5) -- net view \\ws86 System error 5 has occurred. Access is denied. net view \\192.168.172.26 Shared resources at \\192.168.172.26 Samba 3.6.1 Share name Type Used as Comment ------------------------------------------------------------------------------- backup Disk Backup ... The command completed successfully. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: krb5.conf URL: <http://lists.samba.org/pipermail/samba/attachments/20120106/4ca60da6/attachment.ksh>