Samba 4 joined to AD: can access to shares using FQDN but not using IP or aliases

active-directory samba4 sssd

5,925

Solution 1

although this is an old(ish) post, I have just encountered this issue myself today so I am sharing my solution to it.

When joining a Machine to Active directory, two sets of SPN's are created for the generated computer account, one on the FQDN and the second on the Netbios name (aka server name)

Netbios names are limited to 15 characters. so In my case the server name was longer than 15 characters- so when I joined it to the domain, the generated SPN for the computer account was cut off from the 15th characters on. the SPN however with the FQDN was complete- so accessing the shares with the Server name failed while accessing with FQDN worked.

Fixing SPN in active directory worked for me and will likely work for you as well (though not for IP addresses- for that you need NTLM)

You might also need to reboot the server after adding SPN's to its computer account.

Solution 2

You cannot use the IP, because Kerberos is bound to FQDN only.

5,925

Mat

Updated on September 18, 2022

Comments

Mat almost 2 years

I installed a new Openmediavault 4 server which I joined to my Active Directory managed by two Samba 4 Domain Controllers.

Specifications:

Active Directory domain MY.AD.DOMAIN managed by two Samba 4 domain controllers (server-z1.my.ad.domain (192.168.70.201) and server-z2.my.ad.domain (192.168.70.202)
One file server with Samba Version 4.5.12-Debian running on Openmediavault 4.1.0-1 (Debian 9 based)
The IP address of the file server is 192.168.70.171
The FQDN of the file server is server-f1.my.ad.domain
The file server has an alias server-f10.my.ad.domain configured in the DNS
I want to access to the file server from clients using the IP address (\192.168.70.171), the FQDN (\server-f1.my.ad.domain) and the DNS alias (\server-f10.my.ad.domain).

I joined Openmediavault using SSSD following the guide at https://forum.openmediavault.org/index.php/Thread/18886-Guide-how-to-join-OpenMediaVault-3-x-in-an-Active-Directory-domain/, and I can list domain users using getent passwd even after reboot.

The problem I have is that I can access to Samba shares on Openmediavault connecting to it using the FQDN (\server-f1 or \server-f1.my.ad.domain), but not using the IP address (\192.168.70.171) or the DNS alias (\server-f10 or \server-f10.my.ad.domain).

When I access using the IP address or the DNS alias I get this errors on the Openmediavault system:

Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.956409,  2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
Mar 15 20:14:54 server-f1 smbd[21103]:   ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.957928,  2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
Mar 15 20:14:54 server-f1 smbd[21103]:   ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.961733,  1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
Mar 15 20:14:54 server-f1 smbd[21103]:   WARNING: The "syslog" option is deprecated
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.961772,  1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
Mar 15 20:14:54 server-f1 smbd[21103]:   WARNING: The "syslog only" option is deprecated
Mar 15 20:14:54 server-f1 smbd[21103]: [2018/03/15 20:14:54.961984,  2] ../source3/param/loadparm.c:2685(lp_do_section)
Mar 15 20:14:54 server-f1 smbd[21103]:   Processing section "[homes]"
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.049955,  1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21103]:   Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.050031,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21103]:   connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.081918,  1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21103]:   Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.081968,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21103]:   connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.110632,  1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21103]:   Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.110683,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21103]:   connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.112016,  0] ../source3/auth/auth_domain.c:184(domain_client_validate)
Mar 15 20:14:57 server-f1 smbd[21103]:   domain_client_validate: Domain password server not available.
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.112060,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
Mar 15 20:14:57 server-f1 smbd[21103]:   check_ntlm_password:  Authentication for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS
Mar 15 20:14:57 server-f1 smbd[21103]: [2018/03/15 20:14:57.112088,  2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
Mar 15 20:14:57 server-f1 smbd[21103]:   SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.121674,  2] ../source3/librpc/crypto/gse_krb5.c:229(fill_mem_keytab_from_secrets)
Mar 15 20:14:57 server-f1 smbd[21104]:   ../source3/librpc/crypto/gse_krb5.c:229: failed to fetch machine password
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.125426,  1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
Mar 15 20:14:57 server-f1 smbd[21104]:   WARNING: The "syslog" option is deprecated
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.125460,  1] ../lib/param/loadparm.c:1729(lpcfg_do_global_parameter)
Mar 15 20:14:57 server-f1 smbd[21104]:   WARNING: The "syslog only" option is deprecated
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.125698,  2] ../source3/param/loadparm.c:2685(lp_do_section)
Mar 15 20:14:57 server-f1 smbd[21104]:   Processing section "[homes]"
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.197432,  1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21104]:   Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.197476,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21104]:   connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.227212,  1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21104]:   Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.227250,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21104]:   connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.257018,  1] ../auth/credentials/credentials_secrets.c:410(cli_credentials_set_machine_account_db_ctx)
Mar 15 20:14:57 server-f1 smbd[21104]:   Could not find machine account in secrets database: Failed to fetch machine account password for DOMAIN from both secrets.ldb (Could not find entry to match filter: '(&(flatname=DOMAIN)(objectclass=primaryDomain))' base: 'cn=Primary Domains': No such object: dsdb_search at ../source4/dsdb/common/util.c:4575) and from /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.257051,  0] ../source3/auth/auth_domain.c:121(connect_to_domain_password_server)
Mar 15 20:14:57 server-f1 smbd[21104]:   connect_to_domain_password_server: unable to open the domain client session to machine SERVER-Z1.MY.AD.DOMAIN. Error was : NT_STATUS_CANT_ACCESS_DOMAIN_INFO.
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.466888,  0] ../source3/auth/auth_domain.c:184(domain_client_validate)
Mar 15 20:14:57 server-f1 smbd[21104]:   domain_client_validate: Domain password server not available.
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.466920,  2] ../source3/auth/auth.c:315(auth_check_ntlm_password)
Mar 15 20:14:57 server-f1 smbd[21104]:   check_ntlm_password:  Authentication for user [my.user] -> [my.user] FAILED with error NT_STATUS_NO_LOGON_SERVERS
Mar 15 20:14:57 server-f1 smbd[21104]: [2018/03/15 20:14:57.466943,  2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
Mar 15 20:14:57 server-f1 smbd[21104]:   SPNEGO login failed: NT_STATUS_NO_LOGON_SERVERS
Mar 15 20:15:01 server-f1 CRON[21106]: (root) CMD (/usr/sbin/omv-mkrrdgraph >/dev/null 2>&1)

This is my Samba global configuration:

[global]
workgroup = DOMAIN
server string = %h server
dns proxy = no
log level = 3
syslog = 3
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = yes
panic action = /usr/share/samba/panic-action %d
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = no
unix password sync = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
socket options = TCP_NODELAY IPTOS_LOWDELAY
guest account = nobody
load printers = no
disable spoolss = yes
printing = bsd
printcap name = /dev/null
unix extensions = yes
wide links = no
create mask = 0777
directory mask = 0777
use sendfile = yes
aio read size = 16384
aio write size = 16384
local master = yes
time server = no
wins support = no
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
dedicated keytab file = FILE:/etc/krb5.keytab
password server = server-z1.my.ad.domain, server-z2.my.ad.domain
realm = MY.AD.DOMAIN
security = ads
template homedir = /home/my.ad.domain/users/%U
netbios name = server-f1
netbios aliases = server-f10

Could you help me please?

Thanks!

Nasir Riley over 6 years

Are you absolutely certain that the a name is correctly pointing server-f1.my.ad.domain to 192.168.70.171? If it's not then that would also explain why your alias isn't working. Try an nslookup on the ip address and make sure it's resolving to the correct hostname.
Mat over 6 years

Yes, I am sure that both server-f1.my.ad.domain and server-f10.my.ad.domain point to 192.168.70.171, I checked with nslookup and ping.
Nasir Riley over 6 years

What are the commands that you are using to connect to the shares?
Mat over 6 years

I am simply trying to browse the server from a Windows client
Nasir Riley over 6 years

From Windows Explorer? The start menu? What do you type in to do so?
Nasir Riley over 6 years

Perform ipconfig /flushdns and post the results of tracert to both the ip address and fqdn of the server. Something doesn't add up.