Hello Chris On 26.03.2013 20:58, [email protected] wrote: > My Issue is now: > If I try as MIT authenticated (mapped) user "usera" on system "windc" > to access an published CIFS shared > on server" memberhost" this works great via UNC. e.g. > \memberhostpublishedFolder [2] > But if I use instead the IP adresses in UNC it does not work. e.g. > \192.168.1.12publishedFOlder [3] usually The Windows Computer should try to find out the service principal name for the server with DNS forward/backward lookup:
forward: nslookup "memberhost" fqdn => IP reverse: nslookup IP => memberhostfqdn - Is the reverse lookup working for your server? - if i look at my AD i usually have for Computer accounts Principal Names like this: > C:\>dsquery * -filter > "(&(objectCategory=Computer)(objectClass=user)(sAMAccountName=MYCOMPUTER*))" > -attr distinguishedname sAMAccountName servicePrincipalName > distinguishedname > sAMAccountName servicePrincipalName > CN=MYCOMPUTER,OU=someou,DC=mydomain,DC=com > MYCOMPUTER$ HOST/mycomputer.mydomain.com;HOST/MYCOMPUTER; => so by default there is an HOST/* entry for the fqdn and the short WINS hostname, not the IP If reverse lookup is not possible (=> no canonicalization) or fqdn does not match the entry in AD you may need to add the entries HOST/ip-nr To debug that you can wireshark the Client<->DNS and Client<->kerberos(AD and MIT) traffic and find out what Tickets your client tries to get (and why this fails) > One simple request leads to a lockout of the account. > > Checking the traffic with network monitor shows that during one trial > the NTLM login was executed exactly 27 times > with the domain user and the password used by the current session > which is wrong for the domain account. This seems to happen because of the Windows fall back to NTLM when Kerberos fails -> but of course the username/password (which is in the user session's memory) is not the one you need for the fall back: "usera" with"password" does not exist in the NTLM Database, where it is "usera" with "randompassword" Did I understand correctly, that the user "usera" is locked in AD after the 27 wrong Password tries with NTLM? Maybe there's a GPO setting to avoid the fall back mechanism. Robert. -- Dr. Robert Wehn ........................ http://www.rz.uni-augsburg.de Universität Augsburg, Rechenzentrum ............. Tel. (0821) 598-2047 86135 Augsburg .................................. Fax. (0821) 598-2028 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
