Samba 4 joined to AD: can access to shares using FQDN but not using IP or aliases
Solution 1
although this is an old(ish) post, I have just encountered this issue myself today so I am sharing my solution to it.
When joining a Machine to Active directory, two sets of SPN's are created for the generated computer account, one on the FQDN and the second on the Netbios name (aka server name)
Netbios names are limited to 15 characters. so In my case the server name was longer than 15 characters- so when I joined it to the domain, the generated SPN for the computer account was cut off from the 15th characters on. the SPN however with the FQDN was complete- so accessing the shares with the Server name failed while accessing with FQDN worked.
Fixing SPN in active directory worked for me and will likely work for you as well (though not for IP addresses- for that you need NTLM)
You might also need to reboot the server after adding SPN's to its computer account.
Solution 2
You cannot use the IP, because Kerberos is bound to FQDN only.
Related videos on Youtube
Mat
Updated on September 18, 2022Comments
-
Mat almost 2 years
I installed a new Openmediavault 4 server which I joined to my Active Directory managed by two Samba 4 Domain Controllers.
Specifications:
- Active Directory domain MY.AD.DOMAIN managed by two Samba 4 domain controllers (server-z1.my.ad.domain (192.168.70.201) and server-z2.my.ad.domain (192.168.70.202)
- One file server with Samba Version 4.5.12-Debian running on Openmediavault 4.1.0-1 (Debian 9 based)
- The IP address of the file server is 192.168.70.171
- The FQDN of the file server is server-f1.my.ad.domain
- The file server has an alias server-f10.my.ad.domain configured in the DNS
- I want to access to the file server from clients using the IP address (\192.168.70.171), the FQDN (\server-f1.my.ad.domain) and the DNS alias (\server-f10.my.ad.domain).
I joined Openmediavault using SSSD following the guide at https://forum.openmediavault.org/index.php/Thread/18886-Guide-how-to-join-OpenMediaVault-3-x-in-an-Active-Directory-domain/, and I can list domain users using
getent passwd
even after reboot.The problem I have is that I can access to Samba shares on Openmediavault connecting to it using the FQDN (\server-f1 or \server-f1.my.ad.domain), but not using the IP address (\192.168.70.171) or the DNS alias (\server-f10 or \server-f10.my.ad.domain).
When I access using the IP address or the DNS alias I get this errors on the Openmediavault system:
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.956409, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) Mar 15 20:14:54 server-f1 smbd[21103]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.957928, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) Mar 15 20:14:54 server-f1 smbd[21103]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.961733, 1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter) Mar 15 20:14:54 server-f1 smbd[21103]: WARNING: The "syslog" option is deprecated Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.961772, 1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter) Mar 15 20:14:54 server-f1 smbd[21103]: WARNING: The "syslog only" option is deprecated Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.961984, 2] ../source3/param/loadparm.c:2685(lp_do_section) Mar 15 20:14:54 server-f1 smbd[21103]: Processing section "[homes]" Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.049955, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx) Mar 15 20:14:57 server-f1 smbd[21103]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.050031, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) Mar 15 20:14:57 server-f1 smbd[21103]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.081918, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx) Mar 15 20:14:57 server-f1 smbd[21103]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.081968, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) Mar 15 20:14:57 server-f1 smbd[21103]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.110632, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx) Mar 15 20:14:57 server-f1 smbd[21103]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.110683, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) Mar 15 20:14:57 server-f1 smbd[21103]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.112016, 0] ../source3/auth/auth_domain.c:184(domain_client_validate) Mar 15 20:14:57 server-f1 smbd[21103]: domain_client_validate: Domain password server not available. Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.112060, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) Mar 15 20:14:57 server-f1 smbd[21103]: check_ntlm_password: Authentication for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.112088, 2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg) Mar 15 20:14:57 server-f1 smbd[21103]: SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.121674, 2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets) Mar 15 20:14:57 server-f1 smbd[21104]: ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.125426, 1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter) Mar 15 20:14:57 server-f1 smbd[21104]: WARNING: The "syslog" option is deprecated Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.125460, 1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter) Mar 15 20:14:57 server-f1 smbd[21104]: WARNING: The "syslog only" option is deprecated Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.125698, 2] ../source3/param/loadparm.c:2685(lp_do_section) Mar 15 20:14:57 server-f1 smbd[21104]: Processing section "[homes]" Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.197432, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx) Mar 15 20:14:57 server-f1 smbd[21104]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.197476, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) Mar 15 20:14:57 server-f1 smbd[21104]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.227212, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx) Mar 15 20:14:57 server-f1 smbd[21104]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.227250, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) Mar 15 20:14:57 server-f1 smbd[21104]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.257018, 1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx) Mar 15 20:14:57 server-f1 smbd[21104]: Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.257051, 0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server) Mar 15 20:14:57 server-f1 smbd[21104]: connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO. Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.466888, 0] ../source3/auth/auth_domain.c:184(domain_client_validate) Mar 15 20:14:57 server-f1 smbd[21104]: domain_client_validate: Domain password server not available. Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.466920, 2] ../source3/auth/auth.c:315(auth_check_ntlm_password) Mar 15 20:14:57 server-f1 smbd[21104]: check_ntlm_password: Authentication for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.466943, 2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg) Mar 15 20:14:57 server-f1 smbd[21104]: SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS Mar 15 20:15:01 server-f1 CRON[21106]: (root) CMD (/usr/sbin/omv-mkrrdgraph >/dev/null 2>&1)
This is my Samba global configuration:
[global] workgroup = DOMAIN server string = %h server dns proxy = no log level = 3 syslog = 3 log file = /var/log/samba/log.%m max log size = 1000 syslog only = yes panic action = /usr/share/samba/panic-action %d encrypt passwords = true passdb backend = tdbsam obey pam restrictions = no unix password sync = no passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . pam password change = yes socket options = TCP_NODELAY IPTOS_LOWDELAY guest account = nobody load printers = no disable spoolss = yes printing = bsd printcap name = /dev/null unix extensions = yes wide links = no create mask = 0777 directory mask = 0777 use sendfile = yes aio read size = 16384 aio write size = 16384 local master = yes time server = no wins support = no client signing = yes client use spnego = yes kerberos method = secrets and keytab dedicated keytab file = FILE:/etc/krb5.keytab password server = server-z1.my.ad.domain, server-z2.my.ad.domain realm = MY.AD.DOMAIN security = ads template homedir = /home/my.ad.domain/users/%U netbios name = server-f1 netbios aliases = server-f10
Could you help me please?
Thanks!
-
Nasir Riley over 6 yearsAre you absolutely certain that the
a name
is correctly pointingserver-f1.my.ad.domain
to192.168.70.171
? If it's not then that would also explain why your alias isn't working. Try annslookup
on the ip address and make sure it's resolving to the correct hostname. -
Mat over 6 yearsYes, I am sure that both server-f1.my.ad.domain and server-f10.my.ad.domain point to 192.168.70.171, I checked with nslookup and ping.
-
Nasir Riley over 6 yearsWhat are the commands that you are using to connect to the shares?
-
Mat over 6 yearsI am simply trying to browse the server from a Windows client
-
Nasir Riley over 6 yearsFrom Windows Explorer? The start menu? What do you type in to do so?
-
Nasir Riley over 6 yearsPerform
ipconfig /flushdns
and post the results oftracert
to both the ip address and fqdn of the server. Something doesn't add up.