[Samba] Can access shares by IP, not by hostname from Windows clients (AD, W2K8 R2, Linux, Samba 3.6.1, KRB)

[Guido Leenders]

Hello,

I am running a Samba version 3.6.1 and since several months we can no longer 
access shares on that server by hostname. This only occurs for Windows clients 
(Windows 2008 R2, Windows 7). For Apple MacOS 10.5 and Linux clients, we can 
access the shares by \\ws86<file:///\\ws86> using Active Directory registered 
passwords. For Windows, we must use \\192.168.172.26<file:///\\192.168.172.26>. 
Neither \\ws86<file:///\\ws86> nor \\WS86<file:///\\WS86> works.

The only IP address of ws86 is 192.168.172.26. Netbios is also enabled, but of 
course there is an Active Directory environment. Active Directory is also used 
for security (see smb.conf). Winbind not running, smb and nmb are. Successfully 
kinit-ed and joined domain.

Logging contains:
[2012/01/06 21:16:11.824330,  1] smbd/sesssetup.c:342(reply_spnego_kerberos)
  Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!

With debugging on level 15, typical errors include (samba log with level 15 is 
too large to post here):
  libads/kerberos_verify.c:248: 
krb5_rd_req_return_keyblock_from_keytab(host/ws86.invantive.local@INVANTIVE.LOCAL)
 failed: Wrong principal in request

and

  libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Bad 
encryption type
[2012/01/06 21:16:50.593758, 10] 
libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [1] failed to decrypt with error Bad 
encryption type
[2012/01/06 21:16:50.593846, 10] 
libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [3] failed to decrypt with error Bad 
encryption type
[2012/01/06 21:16:50.593929, 10] 
libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [23] failed to decrypt with error Bad 
encryption type
[2012/01/06 21:16:50.594012, 10] 
libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [1] failed to decrypt with error Bad 
encryption type
[2012/01/06 21:16:50.594094, 10] 
libads/kerberos_verify.c:429(ads_secrets_verify_ticket)
  libads/kerberos_verify.c:429: enc type [3] failed to decrypt with error Bad 
encryption type

I have tried various enctypes. Made changes to allowed enctypes on 2008 R2 
active directory server. No success. Even with experience back to Samba 2.0, 
this is too hard for me.

Can someone provide me with a hint or pointer?

Regards,

Guido

--

[global]
workgroup = INVANTIVE
realm = INVANTIVE.LOCAL
security = ads
kerberos method=secrets and keytab
template shell = /bin/ksh
winbind use default domain = true
winbind offline logon = false
debuglevel=1
password server = ws54
winbind enum groups = yes
winbind enum users = yes
winbind nested groups = yes
winbind separator = +
server string = Samba %v
interfaces = lo eth0 192.168.172.26/24
passdb backend = tdbsam
dns proxy = yes
cups options = raw
username map = /etc/samba/smbusers
[homes]
comment = Home Directories
browseable = no
writable = yes
inherit acls = yes
delete readonly = yes
create mask = 0600
directory mask = 0700
oplocks = yes
force create mode = 0600
force directory mode = 0700
valid users = %S,INVANTIVE\Administrator,root,INVANTIVE\!gle3
force user = %S
hide files = /desktop.ini/$RECYCLE.BIN/
include=/etc/samba/smb.conf.invantive

--

root@ws86:/etc/samba# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
  22 host/ws86.invantive.local@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 host/ws86.invantive.local@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 host/ws86.invantive.local@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  22 host/ws86@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 host/ws86@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 host/ws86@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  22 WS86$@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 WS86$@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 WS86$@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  13 ws86/Administrator@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  13 ws86/Administrator@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  13 ws86/Administrator@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
   3 host/WS86@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
   3 host/WS86@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
   3 host/WS86@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  22 ws86/ws86@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 ws86/ws86@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 ws86/ws86@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 WS86$@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 WS86$@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
   3 ws86/WS86@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  14 ws86/Administrator@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  14 ws86/Administrator@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  14 ws86/Administrator@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  22 ws86/ws86.invantive.local@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  22 ws86/ws86.invantive.local@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  22 ws86/ws86.invantive.local@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 host/ws86@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 host/ws86@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  21 host/ws86@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
   3 ws86/WS86@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
   3 ws86/WS86@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 host/ws86.invantive.local@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 ws86/ws86@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 ws86/ws86@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  21 WS86$@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 host/ws86.invantive.local@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  21 host/ws86.invantive.local@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 ws86/ws86.invantive.local@INVANTIVE.LOCAL (DES cbc mode with CRC-32)
  21 ws86/ws86.invantive.local@INVANTIVE.LOCAL (DES cbc mode with RSA-MD5)
  21 ws86/ws86.invantive.local@INVANTIVE.LOCAL (ArcFour with HMAC/md5)
  21 ws86/ws86@INVANTIVE.LOCAL (ArcFour with HMAC/md5)

--

net view \\ws86
System error 5 has occurred.

Access is denied.

net view \\192.168.172.26
Shared resources at \\192.168.172.26

Samba 3.6.1

Share name            Type  Used as  Comment

-------------------------------------------------------------------------------
backup                Disk           Backup
...
The command completed successfully.

#[logging]
# default = FILE:/var/log/krb5libs.log
# kdc = FILE:/var/log/krb5kdc.log
# admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = INVANTIVE.LOCAL
default_keytab_name=FILE:/etc/krb5.keytab
# dns_lookup_realm = false
# dns_lookup_kdc = false
# ticket_lifetime = 24h
# forwardable = yes
default_tgs_enctypes = rc4-hmac-exp arcfour-hmac-md5 des-cbc-crc des-cbc-md5 
des3-hmac-sha1
default_tkt_enctypes = rc4-hmac-exp arcfour-hmac-md5 des-cbc-crc des-cbc-md5 
des3-hmac-sha1

[realms]
 INVANTIVE.LOCAL = {
  kdc = ws54.invantive.local
#  kdc = ws54.invantive.local:88
#  admin_server = ws54.invantive.local:749
#  default_domain = invantive.local
 }

#[domain_realm]
# .invantive.local = INVANTIVE.LOCAL
# invantive.local = INVANTIVE.LOCAL
#
#[appdefaults]
# pam = {
#   debug = false
#   ticket_lifetime = 36000
#   renew_lifetime = 36000
#   forwardable = true
#   krb4_convert = false
# }

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba