samba - Jun 2021 - Logging into Linux from Domain-joined Win10 desktop works for hostnames, not VIPs

Hi All,

I've observed some strange thing and I know too little about Windows to 
figure out what's going on so I would love it if someone could shed some 
light..

Here's the thing:
>From a win10 desktop, I PuTTY ssh to a server if I use PuTTY with the 
remote server's hostname but if I use a VIP hosted on the same server, my 
user gets prompted for a UNIX password (I'm not using SSH keys in this 
environment, only plain AD with bind).

In more detail:
my RHEL servers are joined to the domain using this:

# realm list
ad.lasthome.solace.krynn
   type: kerberos
   realm-name: AD.LASTHOME.SOLACE.KRYNN
   domain-name: ad.lasthome.solace.krynn
   configured: kerberos-member
   server-software: active-directory
   client-software: sssd
   required-package: oddjob
   required-package: oddjob-mkhomedir
   required-package: sssd
   required-package: adcli
   required-package: samba-common-tools
   login-formats: %U
   login-policy: allow-realm-logins
>From any Windows10 desktop in the home, I can PuTTY without a password 
prompt to <hostname1.lasthome.solace.krynn>.

If I try to PuTTY to <floating1.lasthome.solace.krynn>, my user gets 
prompted for its password.

Any ideas? I'm just stumped.. (I don't use Win10 but some of my children
do and one has a need to ssh from it to a Linux box).

Thank you,

Vincent

On Sat, 2021-06-05 at 15:56 -0400, Vincent S. Cojot via samba
wrote:
> From any Windows10 desktop in the home, I can PuTTY without a password 
> prompt to <hostname1.lasthome.solace.krynn>.
> 
> If I try to PuTTY to <floating1.lasthome.solace.krynn>, my user gets 
> prompted for its password.
> 
> Any ideas? I'm just stumped.. (I don't use Win10 but some of my
children
> do and one has a need to ssh from it to a Linux box).
Access by hostname might be using Kerberos tickets, but these only work
to names, not IPs.  If you want to use additional names, these need to
be a servicePrincipalName on the host.

Andrew Bartlett

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

On 05/06/2021 20:56, Vincent S. Cojot via samba wrote:
>
> Hi All,
>
> I've observed some strange thing and I know too little about Windows 
> to figure out what's going on so I would love it if someone could shed 
> some light..
>
> Here's the thing:
>
> From a win10 desktop, I PuTTY ssh to a server if I use PuTTY with the 
> remote server's hostname but if I use a VIP hosted on the same server, 
> my user gets prompted for a UNIX password (I'm not using SSH keys in 
> this environment, only plain AD with bind).
>
> In more detail:
> my RHEL servers are joined to the domain using this:
>
> # realm list
> ad.lasthome.solace.krynn
> ?type: kerberos
> ?realm-name: AD.LASTHOME.SOLACE.KRYNN
> ?domain-name: ad.lasthome.solace.krynn
> ?configured: kerberos-member
> ?server-software: active-directory
> ?client-software: sssd
> ?required-package: oddjob
> ?required-package: oddjob-mkhomedir
> ?required-package: sssd
> ?required-package: adcli
> ?required-package: samba-common-tools
> ?login-formats: %U
> ?login-policy: allow-realm-logins
>
> From any Windows10 desktop in the home, I can PuTTY without a password 
> prompt to <hostname1.lasthome.solace.krynn>.
>
> If I try to PuTTY to <floating1.lasthome.solace.krynn>, my user gets 
> prompted for its password.
>
> Any ideas? I'm just stumped.. (I don't use Win10 but some of my 
> children do and one has a need to ssh from it to a Linux box).
>
> Thank you,
>
> Vincent
>
you appear to be trying to connect to 'floating1.lasthome.solace.krynn' 
but your AD dns domain appears to be 'ad.lasthome.solace.krynn', so of 
course you are going to get asked for a password.

Can I ask where Samba comes into this ? If there are shares involved and 
the Samba version is >= 4.8.0, then you shouldn't be using sssd etc, but 
if you just want authentication, then you don't need Samba, you can just 
use sssd.

Rowland