[Samba] Mounting samba volume by IP fails trust in AD
Hi. I've got some samba servers (3.0.33-3.29.el5_6.2, on redhat 5) that join a windows 2003 AD. When mounting the volume from a windows workstation, if I use \\ip.address.here it fails saying The trust relationship between this workstation and the primary domain failed' If I mount with \\fully.qualified.name it works just fine. Forward and reverse DNS match, and \\ip.address.here works for a microsoft box but not any of the samba boxes. When I check the smbd.log, I never see the failed connections at the samba box, only the ones that worked with FQDN, which to me suggests the failure happens because AD isn't passing the connection to samba, which my AD admins say is because something in samba isn't working like windows, so the AD doesn't pass the request to the samba box because it doesn't look right to AD. my smbd.conf is : # Global parameters [global] workgroup = MYDOMAIN security = ADS realm = MY.DOMAIN load printers = No printing = bsd preferred master = No domain master = No local master = no os level = 0 wins server = xxx.xxx.xxx.xxx ldap ssl = no browseable = yes restrict anonymous = yes guest account = nobody invalid users = nobody encrypt passwords = yes [homes] comment = Home Directories writeable = Yes browseable = No --- Any idea why IP mount fails trust with 2003 AD but Name would be ok? Is this a microsoft-ism to hate on samba, or am I missing something in my config? Does this fail for everyone or just me? test: startrun: \\ip.of.samba.box startrun: \\dns.name.of.box if you have browse, it should show the available shares. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mounting samba volume by IP fails trust in AD
I have run into issues where by IP it worked, but not by name (this was with one particular samba server, with VPN clients, with WINS and Netbios not enabled over VPN.) So it does seem possible that the server handles requests based on name and IP differently. Are all machines (samba, win 2003, clients) pointing to the same WINS server? Are all machines pointing to the same DNS server? Is the AD DC the WINS and DNS server? Does the AD domain name space match the DNS domain name space? Does the samba server krb5.conf have entries for the AD DC? (Not sure if this is really necessary.) In smb.conf, what is name resolve order set to? On 03/30/2011 10:42 AM, Walt Park wrote: Hi. I've got some samba servers (3.0.33-3.29.el5_6.2, on redhat 5) that join a windows 2003 AD. When mounting the volume from a windows workstation, if I use \\ip.address.here it fails saying The trust relationship between this workstation and the primary domain failed' If I mount with \\fully.qualified.name it works just fine. Forward and reverse DNS match, and \\ip.address.here works for a microsoft box but not any of the samba boxes. When I check the smbd.log, I never see the failed connections at the samba box, only the ones that worked with FQDN, which to me suggests the failure happens because AD isn't passing the connection to samba, which my AD admins say is because something in samba isn't working like windows, so the AD doesn't pass the request to the samba box because it doesn't look right to AD. my smbd.conf is : # Global parameters [global] workgroup = MYDOMAIN security = ADS realm = MY.DOMAIN load printers = No printing = bsd preferred master = No domain master = No local master = no os level = 0 wins server = xxx.xxx.xxx.xxx ldap ssl = no browseable = yes restrict anonymous = yes guest account = nobody invalid users = nobody encrypt passwords = yes [homes] comment = Home Directories writeable = Yes browseable = No --- Any idea why IP mount fails trust with 2003 AD but Name would be ok? Is this a microsoft-ism to hate on samba, or am I missing something in my config? Does this fail for everyone or just me? test: startrun: \\ip.of.samba.box startrun: \\dns.name.of.box if you have browse, it should show the available shares. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mounting samba volume by IP fails trust in AD
Well.. all my samba boxes are behaving the same way. When joined to the AD, they work when addressed by name, but fail trust with the AD when addressed by IP. AD is controlled by windows 2003, not by samba. I'm pretty sure if I made a samba PDC, I could get this to work, but I can't because that's not our architecture here. I have a mixture of a couple different versions on both solaris and linux, and they all seem to behave the same. All the samba boxes use the same wins, which is the PDC. They also use a mix of DNS, for a couple of internal reasons, but for name/ip in regards to the AD, they will get the same responses because of the way delegation is setup among name servers. The AD does not run it's own name space and defers to the bind clusters for dns. The krb5.conf does point to the AD, as samba is the only thing on these boxes that use kerberos. name resolve order is not explicitly set, so defaults to lmhosts host wins bcast Anyway, the samba servers are not seeing the connection attempt when they get the trust failure error. The AD seems to be rejecting the connection attempt and not directing the connection to the samba box. When I use a FQDN, I see the connection attempt, and it works fine. It's only when I use IP. We have a security scanner that is failing because it is using IP since that's how it's network discovery works, which is what I'm trying to fix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mounting samba volume by IP fails trust in AD
On Wed, Mar 30, 2011 at 09:42:33AM -0500, Walt Park wrote: Any idea why IP mount fails trust with 2003 AD but Name would be ok? Is this a microsoft-ism to hate on samba, or am I missing something in my config? It's possible that via name you're using kerberos but via ip you're using ntlm. In the kerberos case Samba does not have to ask the DC, in the ntlm case it does. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mounting samba volume by IP fails trust in AD
Do you have PTR entries in DNS for all the servers? On 03/30/2011 12:35 PM, Walt Park wrote: Well.. all my samba boxes are behaving the same way. When joined to the AD, they work when addressed by name, but fail trust with the AD when addressed by IP. AD is controlled by windows 2003, not by samba. I'm pretty sure if I made a samba PDC, I could get this to work, but I can't because that's not our architecture here. I have a mixture of a couple different versions on both solaris and linux, and they all seem to behave the same. All the samba boxes use the same wins, which is the PDC. They also use a mix of DNS, for a couple of internal reasons, but for name/ip in regards to the AD, they will get the same responses because of the way delegation is setup among name servers. The AD does not run it's own name space and defers to the bind clusters for dns. The krb5.conf does point to the AD, as samba is the only thing on these boxes that use kerberos. name resolve order is not explicitly set, so defaults to lmhosts host wins bcast Anyway, the samba servers are not seeing the connection attempt when they get the trust failure error. The AD seems to be rejecting the connection attempt and not directing the connection to the samba box. When I use a FQDN, I see the connection attempt, and it works fine. It's only when I use IP. We have a security scanner that is failing because it is using IP since that's how it's network discovery works, which is what I'm trying to fix. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mounting samba volume by IP fails trust in AD
Why would it be different between a microsoft share, and a samba share? A microsoft share works wth either name or IP, but samba only works for name, and not IP. Also, when it fails with trust error I never see a connection attempt at the samba server. On Wed, Mar 30, 2011 at 11:34 AM, Volker Lendecke volker.lende...@sernet.de wrote: On Wed, Mar 30, 2011 at 09:42:33AM -0500, Walt Park wrote: Any idea why IP mount fails trust with 2003 AD but Name would be ok? Is this a microsoft-ism to hate on samba, or am I missing something in my config? It's possible that via name you're using kerberos but via ip you're using ntlm. In the kerberos case Samba does not have to ask the DC, in the ntlm case it does. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mounting samba volume by IP fails trust in AD
my guess is that reverse DNS lookups are failing for the IP Walt Park wrote: Why would it be different between a microsoft share, and a samba share? A microsoft share works wth either name or IP, but samba only works for name, and not IP. Also, when it fails with trust error I never see a connection attempt at the samba server. On Wed, Mar 30, 2011 at 11:34 AM, Volker Lendecke volker.lende...@sernet.de wrote: On Wed, Mar 30, 2011 at 09:42:33AM -0500, Walt Park wrote: Any idea why IP mount fails trust with 2003 AD but Name would be ok? Is this a microsoft-ism to hate on samba, or am I missing something in my config? It's possible that via name you're using kerberos but via ip you're using ntlm. In the kerberos case Samba does not have to ask the DC, in the ntlm case it does. Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Mounting samba volume by IP fails trust in AD
In answer to vandal: Yes, they are A/PTR records, and not cname. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba