I have a CentOS 7 server with Samba 4.6.2, joined to a Windows Server 2008 R2 Domain, and cannot access any shares from Windows using the server's hostname or FQDN, only by IP address.
I have verified DNS is working with nslookup for server to client, client to server, and verified all SRV records for AD resolve on the samba server.
When I try using the hostname or FQDN Windows will display an error "Logon Failure: The target account name is incorrect" and the samba logs for the client show this:
[2017/09/28 13:04:00.119699, 3] ../source3/smbd/oplock.c:1322(init_oplocks)
init_oplocks: initializing messages.
[2017/09/28 13:04:00.119899, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 159 (0 toread)
[2017/09/28 13:04:00.119956, 3] ../source3/smbd/process.c:1538(switch_message)
switch message SMBnegprot (pid 15584) conn 0x0
[2017/09/28 13:04:00.120920, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2017/09/28 13:04:00.120968, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [LANMAN1.0]
[2017/09/28 13:04:00.120999, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [Windows for Workgroups 3.1a]
[2017/09/28 13:04:00.121026, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [LM1.2X002]
[2017/09/28 13:04:00.121053, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [LANMAN2.1]
[2017/09/28 13:04:00.121080, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [NT LM 0.12]
[2017/09/28 13:04:00.121107, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [SMB 2.002]
[2017/09/28 13:04:00.121133, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [SMB 2.???]
[2017/09/28 13:04:00.121348, 3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2017/09/28 13:04:00.124041, 3] ../source3/smbd/negprot.c:730(reply_negprot)
Selected protocol SMB 2.???
[2017/09/28 13:04:00.135575, 3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
Selected protocol SMB2_10
[2017/09/28 13:04:00.150178, 1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/rack14.svsn.int@SVSN.INT not found in keytab (ticket kvno 10)]
[2017/09/28 13:04:00.161945, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2017/09/28 13:04:00.179981, 3] ../source3/smbd/oplock.c:1322(init_oplocks)
init_oplocks: initializing messages.
[2017/09/28 13:04:00.180172, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 108 (0 toread)
[2017/09/28 13:04:00.198458, 3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
Selected protocol SMB2_10
[2017/09/28 13:04:00.214297, 1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/rack14.svsn.int@SVSN.INT not found in keytab (ticket kvno 10)]
[2017/09/28 13:04:00.227012, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
Samba config:
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
security = ads
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets and keytab
winbind use default domain = true
winbind offline logon = true
idmap config * : backend = nss
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = ad
idmap config DOMAIN : default = yes
idmap config DOMAIN : range = 10000-1000000
idmap config DOMAIN : schema_mode = rfc2307
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
log file = /var/log/samba/log.%m
log level = 3
max log size = 50
client use spnego = yes
load printers = no
cups options = raw
printcap name = /dev/null
I'm not sure what I am missing or what else to troubleshoot. Rejoining the domain and even wiping out the samba config has not helped. I have also manually added cifs to the keytab but then windows will keep prompting for a username and password even when correct. Any ideas?
Best Answer
Your Kerberos setup is broken.
From the log:
Request ticket server cifs/rack14.svsn.int@SVSN.INT not found in keytab (ticket kvno 10)
.There seems to be a second authentication method if Kerberos isn't possible. This second method works and is used if you access via IP address. That's because Kerberos only works in connection with DNS.
If you access via DNS name Kerberos tries an authentication and fails.
I suppose you check the DNS entries of all maschines (client, server, Kerberos server). Also check the DNS reverse entries. Afterwards generate a new keytab.