[solved] [samba] Share inaccessible using the IP address or a DNS alias

Issues related to applications and software problems
Post Reply
lecbee
Posts: 14
Joined: 2014/03/27 09:13:26

[solved] [samba] Share inaccessible using the IP address or a DNS alias

Post by lecbee » 2017/06/02 15:54:18

Hello,

I have a CentOS 7 server (up-to-date) which act as samba file share server. It's integrated in my AD realm. This have been done with the realm tool.
The AD integration works fine, I can even log through SSH with my personal Windows AD account.

The samba share works fine too from Windows 7 only if I try to access it by specifying the AD hostname. Let me explains.
- The server has an IP address
- The short hostname configured in Linux is "myserver"
- My realm is "MYDOMAIN.local"
- The server has a hostname visible in the AD : "myserver.mydomain.local"
- The server has a static hostname defined manually on the AD : "myserver.mydomain.com"

I can ping everything correctly : by ip, with "myserver.mydomain.local" and with "myserver.mydomain.com"

From Windows 7 :
- I'm able to access the share if I try to connect to the server using "myserver.mydomain.local"
- I'm unable to access the share if I try to connect to the server using "myserver.mydomain.com"
- I'm unable to access the share if I try to connect to the server using the IP address

In the last 2 cases, a window asking for credentials pops-up. Even if I enter correct credentials, the logon is a failure.

I caught a packet trace with Wireshark.
It looks like if I use "myserver.mydomain.local", Kerberos is used for the authentication and it works fine.
But if I use the IP or "myserver.mydomain.com", it negotiate NTLM SSP authentication and this doesn't works.

Also, I tried from a Fedora 25 computer (which is not part of the realm), and it negotiate NTLM in all 3 cases, and fails in all 3 cases then.

So, do you have an idea why NTLM auth fails ?
And moreover why the authentication mechanism is different if I use the IP address or the DNS name ?

FYI, I have a CentOS 6 server used for samba file share, and it works fine with all 3 type of access.
Last edited by lecbee on 2017/09/23 22:43:55, edited 1 time in total.

lecbee
Posts: 14
Joined: 2014/03/27 09:13:26

Re: [samba] Share inaccessible using the IP address or a DNS alias

Post by lecbee » 2017/09/23 21:34:32

Since I wrote this post, I've fixed my problem and learn many things :)
I will explain how I fixed this and what was really happening. Hopefully this will help someone else coming here through Google.


1) Only use DNS names to access your server, instead of IP addresses.
Kerberos protocol relies on DNS names, it can't be use with IP address.
So in fact when you try to access your server with IP, you are not using Kerberos, but probably an older and weaker protocol, like NTLM.
AFAIK, SSSD can only use Kerberos, it can't works with NTLM, that's why you can't access your server with an IP address on a CentOS 7 box configured with SSSD for Samba share.





2) If possible, avoid using a .local pseudo-TLD like in myserver.mydomain.local
Use preferably anything else but .local, for instance use myserver.mydomain.dom

.local pseudo-TLD is a special TLD used in the mDNS protocol.




3) Your Linux hostname must be a FQDN (Fully Qualified Domain Name).
That means it should be myserver.mydomain.dom and not just myserver

The hostnamectl command should returns something like this:
# hostnamectl
Static hostname: myserver.mydomain.dom
Icon name: computer-server
Chassis: server


Instead of this:
# hostnamectl
Static hostname: myserver
Icon name: computer-server
Chassis: server





4) Use CNAME records to register a DNS alias, instead of a new A record.
If your server hostname is myserver.mydomain.dom and you want it to also be accessed with another DNS name, for instance fileserver.mydomain.dom, register this new alias with a CNAME record for it. Do not use a A record.



5) Register a new SPN (Service Principal Name) for the DNS alias.
On your Active Directory server (or Samba AD DC), register a new SPN for the alias (fileserver.mydomain.dom) you've added previously.
For that, use a Windows shell (with Admin rights) and add your SPN, for instance:
#> setspn.exe -S HOST/fileserver.mydomain.dom myserver

northpoint
Posts: 107
Joined: 2016/05/23 11:57:12

Re: [samba] Share inaccessible using the IP address or a DNS alias

Post by northpoint » 2017/09/23 22:12:30

I want to thank you for your follow up posts. There are many times I want to help others here but my knowledge of networking in the realm (pardon the pun) of AD and DNS is a bit lacking. I tend to lurk and just make mental notes of how the issue was solved.

Its truly frustrating when you have an issue and cannot find an answer - especially when you find that it seems no one else is having this issue. I had this when setting up Samba AD. Couldnt get the verification of DNS to work with out error from the samba AD howto. As I remember I was for some reason using the wrong host name ;)

Anyways, Im glad you got your problem solved.

I am gearing up for a server replacement at one of my small business clients and will be using Icewarp and samba AD. I have setup a couple of VB VM's to to a test run on. Everything is working great so far. But the learning curve is a bit steep :)

Ok, Enough ramblings... too much coffee...

Take Care,
Ryzen x1800 * Asus x370 Pro * CentOS 7.4 64bit / Icewarp /

Post Reply