Samba DC, login on alias name

sharpec · May 21, 2017, 10:29am

NethServer Version: NethServer release 7.3.1611 (Final)
Module: Samba

Hello to everyone, I know it’s Sunday, but I’m at work and I thought I was disturbing you

After more year i finally ready for migration of zentyal file server on nethserver 7.3
zentyal name SRV
nethserver name SAMBA

on SAMBA I have created domain named XXX.it
when try to connect on \\samba from my pc, login don’t work
when try to connect on \\samba.XXX.it, login work

in my Windows file hosts, i have insert custom entry (only for test now, official switch is tomorrow morning)

192.168.1.241 srv

when try to connect on \\srv from my pc, login don’t work
More users in this year has work with Solidworks, this create big file with link to small file
\\srv\dwg\part1.sld
\\srv\dwg\part2.sld
etc…
without this link, file is inconsistent

Can i force login to an alias name on my DC Samba?

davidep · May 21, 2017, 10:45am

Is your PC a win professional or home ed. version? Did it join the domain?

What is the DNS resolver config on your PC? Does it add XXX.it suffix?

 ipconfig /all

sharpec · May 21, 2017, 10:58am

C:\Users\administrator.XXX>ipconfig /all

Configurazione IP di Windows

   Nome host . . . . . . . . . . . . . . : admin-pc
   Suffisso DNS primario . . . . . . . . : XXX.it
   Tipo nodo . . . . . . . . . . . . . . : Ibrido
   Routing IP abilitato. . . . . . . . . : No
   Proxy WINS abilitato . . . . . . . .  : No
   Elenco di ricerca suffissi DNS. . . . : XXX.it

Scheda Ethernet Connessione alla rete locale (LAN):

   Suffisso DNS specifico per connessione: XXX.it
   Descrizione . . . . . . . . . . . . . : Scheda desktop Intel(R) PRO/1000 MT
   Indirizzo fisico. . . . . . . . . . . : 
   DHCP abilitato. . . . . . . . . . . . : Sì
   Configurazione automatica abilitata   : Sì
   Indirizzo IPv6 locale rispetto al collegamento . :     (Preferenziale)
   Indirizzo IPv4. . . . . . . . . . . . : 192.168.1.174(Preferenziale)
   Subnet mask . . . . . . . . . . . . . : 255.255.255.0
   Lease ottenuto. . . . . . . . . . . . : domenica 21 maggio 2017 12:48:04
   Scadenza lease . . . . . . . . . . .  : lunedì 22 maggio 2017 12:48:09
   Gateway predefinito . . . . . . . . . : 192.168.1.254
   Server DHCP . . . . . . . . . . . . . : 192.168.1.254
   IAID DHCPv6 . . . . . . . . . . . : 235405351
   DUID Client DHCPv6. . . . . . . . : 00-01-00-01-1E-49-07-A3-08-00-27-A5-AF-94

   Server DNS . . . . . . . . . . . . .  : 192.168.1.2 <---**NS-DC INTERFACE**
                                           192.168.1.254
   Server WINS primario . . . . . . . .  : 192.168.1.2
   NetBIOS su TCP/IP . . . . . . . . . . : Attivato

i have joined 3 machine at this time, al Pro version
My pc is a Win 10 home

But now i have try from a virtual machine win 7 pro, joined to domain, with worked admin tools.
same trick of hosts file, Login to SRV failed

i have try both enzo@xxx.it and xxx\enzo
load…load…load…

davidep · May 21, 2017, 1:08pm

Is srv zentyal down? Is nsdc updated to samba 4.6?

Please try from your PC and paste the output of

ping srv
ping samba

Is the dhcp server NS? Did you set any advanced parameter (like wins) in dhcp?

To add an alias name (both DNS and NetBIOS)

remove the client host “trick”
update nsdc to 4.6
in nethserver DNS page add a server alias: srv
in nethserver DHCP page remove any WINS setting
reboot your clients to get a new dhcp lease
at nethserver console set a NetBIOS alias SRV

yum install nethserver-samba
config setprop smb NetbiosAliasList SRV
signal-event nethserver-samba-update

Please check /var/log/messages for any error when clients connect. Also per-client log under /var/log/samba/

sharpec · May 21, 2017, 2:54pm

now yes, renamed in srv2, samba service disable, firewall drop samba packet

DHCP server and SAMBA are 2 different machine, i have removed ns-dc ip from wins parameter

ok

updated from Configuration → Account Provider[quote=“davidep, post:4, topic:6865”]
n nethserver DNS page add a server alias: srv
[/quote]

srv.xxx.it added

done[quote=“davidep, post:4, topic:6865”]
Please check /var/log/messages
[/quote]

in messagges i have many

May 21 16:42:01 samba systemd-machined: Got message type=signal sender=:1.81454 destination=n/a object=/org/freedesktop/systemd1/unit/httpd_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=1417501 reply_cookie=0 error=n/a
May 21 16:42:01 samba systemd-machined: Got message type=signal sender=:1.81454 destination=n/a object=/org/freedesktop/systemd1/unit/httpd_2eservice interface=org.freedesktop.DBus.Properties member=PropertiesChanged cookie=1417502 reply_cookie=0 error=n/a

Per-client log is all empty 0byte

 ll /var/log/samba/
total 20
drwx------  4 root root   28 Nov  5  2016 cores
-rw-r--r--  1 root root    0 Nov  5  2016 log.
-rw-r--r--  1 root root    0 May 21 14:34 log.192.168.10.187
-rw-r--r--  1 root root    0 Mar 30 13:43 log.192.168.1.11
-rw-r--r--  1 root root    0 Nov  5  2016 log.192.168.1.120
-rw-r--r--  1 root root    0 Feb  3 10:06 log.7-virt
-rw-r--r--  1 root root    0 Apr  5 12:17 log.admin-pc
-rw-r--r--  1 root root    0 Dec 22 09:43 log.amministra-pc

sharpec · May 21, 2017, 5:55pm

from ubuntu machine

smbclient //srv/officina -Uenzo@xxx.it
Enter enzo@xxx.it’s password:
Domain=[xxx] OS=[Windows 6.1] Server=[Samba 4.4.4]
tree connect failed: NT_STATUS_ACCESS_DENIED

 yum info nethserver-dc
Loaded plugins: changelog, fastestmirror, nethserver_events, ovl
Loading mirror speeds from cached hostfile
 * base: mirror.euserv.net
 * epel: fr2.rpmfind.net
 * extras: wftp.tu-chemnitz.de
 * nethforge: mirror.nethserver.org
 * nethserver-base: mirror.nethserver.org
 * nethserver-updates: mirror.nethserver.org
 * updates: ftp.uni-bayreuth.de
Installed Packages
Name        : nethserver-dc
Arch        : x86_64
Version     : 1.2.1
Release     : 1.ns7
Size        : 14 M
Repo        : installed
From repo   : nethserver-updates
Summary     : NethServer Domain Controller configuration
URL         : http://github.com/NethServer/nethserver-dc
License     : GPLv3+
Description : NethServer Samba 4 Domain Controller configuration

davidep · May 21, 2017, 6:10pm

File system permissions?

ls -l /var/lib/nethserver/ibay

sharpec · May 21, 2017, 6:15pm

i think are correct

> ls -l /var/lib/nethserver/ibay > total 144 > drwxrwsr-x 10 administrator@xxx.it domain admins@xxx.it 4096 May 18 10:18 aggi > drwxrws---+ 24 administrator@xxx.it amministrazione@xxx.it 4096 May 8 14:54 amministrazione > drwxrwsr-x+ 37 administrator@xxx.it domain users@xxx.it 4096 Mar 10 12:27 apps

on folder with guest read access, no problem,
on SAMBA login work, failed only on alias SRV, and log is empty.

Permission on log folder is correct root:root?

audit.log / smbaudit.log / log.smb …any entry with error or warning
Strange that samba does not log, he likes it so much

sharpec · May 21, 2017, 6:58pm

on a new vm joined to domain,
after reboot and login as admin@xxx.it
surf to \\samba (real name) is direct, without password and show folder admin@xxx.it
surf to \\srv (alias name), “error, user or password unknown”

sorry @davidep for this bad sunday
only possible solution is factory default dc?

sharpec · May 21, 2017, 7:26pm

in /etc/krb5.keytab
SRV is not present…No correlation?

i found this https://pagure.io/SSSD/sssd/issue/3228
What can happen if I change Fully qualified domain name
self-destruction??

davidep · May 21, 2017, 8:09pm

Yes

Surely yes, however I didn’t mention kerberos because you have also win home edition. If you want to access a share from a domain workstation you need to add a SPN with the required host alias to the server keytab file.

I did it once with (kinda)

net ads keytab add NEWSPN

It’s not a solution! Please do not do it!!

Very interesting link. One thing I don’t understand: why fallback to NTLM (v2?) does not work/happen.

Try to increase smb log level:

smbcontrol smbd debug 1

We need a log clue to understand…

sharpec · May 21, 2017, 8:20pm

Sorry I had to explain better.
Tomorrow morning 20 colleagues arrive, who will have to access the server.
I am one of the few with home edition.
Tomorrow I will have most clients win 7 pro out of domain
I wanted try to keep the name of the server unchanged
This is why I have some delphi programs pointing to SRV name, or excel file links, or solidworks drawings

davidep · May 21, 2017, 8:31pm

For them you have to add the missing SPNs to the keytab!

As the link above explains the command should be like

net ads keytab add cifs/srv@XXX.IT cifs/srv.xxx.it@XXX.IT host/srv@XXX.IT host/srv.xxx.it@XXX.IT

sharpec · May 21, 2017, 8:50pm

THANKS @davidep
i have try, but none…
before call \srv in windows client joined KLIST was empty
after klist contained

Client: admin @ XXX.IT
Server: cifs/samba.xxx.it @ XXX.IT

May fail for this mismath?

another mismatch is present between Status -> Domain Account and net ads keytab list
only in the second are present [quote=“davidep, post:13, topic:6865”]
net ads keytab add cifs/srv@XXX.IT cifs/srv.xxx.it@XXX.IT host/srv@XXX.IT host/srv.xxx.it@XXX.IT
[/quote]

if i do net ads keytab flush and re-add all items…but for first SRV?

davidep · May 21, 2017, 9:00pm

IIRC the keytab entries order is not important.

Did you add the srv-based entries to keytab? Maybe a smbd restart is required.

Also the DNS is important: if the smbd restart does not fix the issue, I suspect from your KLIST output the srv name is canonicalized to samba with a reverse-dns call. This is a fallback measure though…

Please paste the output of

 klist -k /etc/krb5.keytab

sharpec · May 21, 2017, 9:10pm

[root@samba officina]# klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 host/samba.xxxxx.it@XXXXX.IT
   1 host/samba.xxxxx.it@XXXXX.IT
   1 host/samba.xxxxx.it@XXXXX.IT
   1 host/samba.xxxxx.it@XXXXX.IT
   1 host/samba.xxxxx.it@XXXXX.IT
   1 host/SAMBA@XXXXX.IT
   1 host/SAMBA@XXXXX.IT
   1 host/SAMBA@XXXXX.IT
   1 host/SAMBA@XXXXX.IT
   1 host/SAMBA@XXXXX.IT
   1 SAMBA$@XXXXX.IT
   1 SAMBA$@XXXXX.IT
   1 SAMBA$@XXXXX.IT
   1 SAMBA$@XXXXX.IT
   1 SAMBA$@XXXXX.IT
   1 smtp/samba.xxxxx.it@XXXXX.IT
   1 smtp/samba.xxxxx.it@XXXXX.IT
   1 smtp/samba.xxxxx.it@XXXXX.IT
   1 smtp/samba.xxxxx.it@XXXXX.IT
   1 smtp/samba.xxxxx.it@XXXXX.IT
   1 smtp/SAMBA@XXXXX.IT
   1 smtp/SAMBA@XXXXX.IT
   1 smtp/SAMBA@XXXXX.IT
   1 smtp/SAMBA@XXXXX.IT
   1 smtp/SAMBA@XXXXX.IT
   1 pop/samba.xxxxx.it@XXXXX.IT
   1 pop/samba.xxxxx.it@XXXXX.IT
   1 pop/samba.xxxxx.it@XXXXX.IT
   1 pop/samba.xxxxx.it@XXXXX.IT
   1 pop/samba.xxxxx.it@XXXXX.IT
   1 pop/SAMBA@XXXXX.IT
   1 pop/SAMBA@XXXXX.IT
   1 pop/SAMBA@XXXXX.IT
   1 pop/SAMBA@XXXXX.IT
   1 pop/SAMBA@XXXXX.IT
   1 imap/samba.xxxxx.it@XXXXX.IT
   1 imap/samba.xxxxx.it@XXXXX.IT
   1 imap/samba.xxxxx.it@XXXXX.IT
   1 imap/samba.xxxxx.it@XXXXX.IT
   1 imap/samba.xxxxx.it@XXXXX.IT
   1 imap/SAMBA@XXXXX.IT
   1 imap/SAMBA@XXXXX.IT
   1 imap/SAMBA@XXXXX.IT
   1 imap/SAMBA@XXXXX.IT
   1 imap/SAMBA@XXXXX.IT
   1 cifs/samba.xxxxx.it@XXXXX.IT
   1 cifs/samba.xxxxx.it@XXXXX.IT
   1 cifs/samba.xxxxx.it@XXXXX.IT
   1 cifs/samba.xxxxx.it@XXXXX.IT
   1 cifs/samba.xxxxx.it@XXXXX.IT
   1 cifs/SAMBA@XXXXX.IT
   1 cifs/SAMBA@XXXXX.IT
   1 cifs/SAMBA@XXXXX.IT
   1 cifs/SAMBA@XXXXX.IT
   1 cifs/SAMBA@XXXXX.IT
   1 srv/samba.xxxxx.it@XXXXX.IT
   1 srv/samba.xxxxx.it@XXXXX.IT
   1 srv/samba.xxxxx.it@XXXXX.IT
   1 srv/samba.xxxxx.it@XXXXX.IT
   1 srv/samba.xxxxx.it@XXXXX.IT
   1 srv/SAMBA@XXXXX.IT
   1 srv/SAMBA@XXXXX.IT
   1 srv/SAMBA@XXXXX.IT
   1 srv/SAMBA@XXXXX.IT
   1 srv/SAMBA@XXXXX.IT
   1 cifs/srv@xxxxx.IT
   1 cifs/srv@xxxxx.IT
   1 cifs/srv@xxxxx.IT
   1 cifs/srv@xxxxx.IT
   1 cifs/srv@xxxxx.IT
   1 cifs/srv.xxxxx.it@xxxxx.IT
   1 cifs/srv.xxxxx.it@xxxxx.IT
   1 cifs/srv.xxxxx.it@xxxxx.IT
   1 cifs/srv.xxxxx.it@xxxxx.IT
   1 cifs/srv.xxxxx.it@xxxxx.IT
   1 host/srv@xxxxx.IT
   1 host/srv@xxxxx.IT
   1 host/srv@xxxxx.IT
   1 host/srv@xxxxx.IT
   1 host/srv@xxxxx.IT
   1 host/srv.xxxxx.it@xxxxx.IT
   1 host/srv.xxxxx.it@xxxxx.IT
   1 host/srv.xxxxx.it@xxxxx.IT
   1 host/srv.xxxxx.it@xxxxx.IT
   1 host/srv.xxxxx.it@xxxxx.IT
   1 SRV.XXXXX.IT/samba.xxxxx.it@XXXXX.IT
   1 SRV.XXXXX.IT/samba.xxxxx.it@XXXXX.IT
   1 SRV.XXXXX.IT/samba.xxxxx.it@XXXXX.IT
   1 SRV.XXXXX.IT/samba.xxxxx.it@XXXXX.IT
   1 SRV.XXXXX.IT/samba.xxxxx.it@XXXXX.IT
   1 SRV.XXXXX.IT/SAMBA@XXXXX.IT
   1 SRV.XXXXX.IT/SAMBA@XXXXX.IT
   1 SRV.XXXXX.IT/SAMBA@XXXXX.IT
   1 SRV.XXXXX.IT/SAMBA@XXXXX.IT
   1 SRV.XXXXX.IT/SAMBA@XXXXX.IT

davidep · May 21, 2017, 9:23pm

OK I don’t know if case is relevant here, but I see a couple of entries are still missing (comparing to samba ones)

cifs/SRV@XXXXX.it
host/SRV@XXXXX.it

This should not be needed, but does not harm:

SRV$@XXXXX.it

Finally

 systemctl restart smb

sharpec · May 21, 2017, 9:37pm

with

insert SRVXXXXX@XXXXX.IT

sorry 'SRV$'@XXXX.IT work but don’t solve my stupid problem

davidep · May 23, 2017, 3:50pm

Hi @sharpec, I’ve tried to reproduce the scenario on a VM file server, joined to a remote nsdc. What I did is

config setprop smb NetbiosAliasList SRV
systemctl stop smb nmb
signal-event nethserver-samba-update

It works from both domain workstation (kerberos, win10) and smbclient. No DNS alias was required, i guess because in LAN netbios name resolution works here.

The klist command on win10 reports an empty cache, thus it confirms NTLM protocols are used as fallback.

Did you manage to solve your issue?

sharpec · May 23, 2017, 7:30pm

I try tomorrow, Tonight I go to bed soon
Thanks for your help and yours efforts!

EDIT: Ok I tried, but it does not work
I do not want to make you spend more time, I’ve migrated old name to the new one
Thank you very much