Can't access samba share by hostname or FQDN, only by IP on Windows 2008 R2 Domain
I have a CentOS 7 server with Samba 4.6.2, joined to a Windows Server 2008 R2 Domain, and cannot access any shares from Windows using the server's hostname or FQDN, only by IP address.
I have verified DNS is working with nslookup for server to client, client to server, and verified all SRV records for AD resolve on the samba server.
When I try using the hostname or FQDN Windows will display an error "Logon Failure: The target account name is incorrect" and the samba logs for the client show this:
[2017/09/28 13:04:00.119699, 3] ../source3/smbd/oplock.c:1322(init_oplocks)
init_oplocks: initializing messages.
[2017/09/28 13:04:00.119899, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 159 (0 toread)
[2017/09/28 13:04:00.119956, 3] ../source3/smbd/process.c:1538(switch_message)
switch message SMBnegprot (pid 15584) conn 0x0
[2017/09/28 13:04:00.120920, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [PC NETWORK PROGRAM 1.0]
[2017/09/28 13:04:00.120968, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [LANMAN1.0]
[2017/09/28 13:04:00.120999, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [Windows for Workgroups 3.1a]
[2017/09/28 13:04:00.121026, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [LM1.2X002]
[2017/09/28 13:04:00.121053, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [LANMAN2.1]
[2017/09/28 13:04:00.121080, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [NT LM 0.12]
[2017/09/28 13:04:00.121107, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [SMB 2.002]
[2017/09/28 13:04:00.121133, 3] ../source3/smbd/negprot.c:603(reply_negprot)
Requested protocol [SMB 2.???]
[2017/09/28 13:04:00.121348, 3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
Selected protocol SMB2_FF
[2017/09/28 13:04:00.124041, 3] ../source3/smbd/negprot.c:730(reply_negprot)
Selected protocol SMB 2.???
[2017/09/28 13:04:00.135575, 3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
Selected protocol SMB2_10
[2017/09/28 13:04:00.150178, 1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/rack14.svsn.int@SVSN.INT not found in keytab (ticket kvno 10)]
[2017/09/28 13:04:00.161945, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
[2017/09/28 13:04:00.179981, 3] ../source3/smbd/oplock.c:1322(init_oplocks)
init_oplocks: initializing messages.
[2017/09/28 13:04:00.180172, 3] ../source3/smbd/process.c:1957(process_smb)
Transaction 0 of length 108 (0 toread)
[2017/09/28 13:04:00.198458, 3] ../source3/smbd/smb2_negprot.c:290(smbd_smb2_request_process_negprot)
Selected protocol SMB2_10
[2017/09/28 13:04:00.214297, 1] ../source3/librpc/crypto/gse.c:646(gse_get_server_auth_token)
gss_accept_sec_context failed with [Unspecified GSS failure. Minor code may provide more information: Request ticket server cifs/rack14.svsn.int@SVSN.INT not found in keytab (ticket kvno 10)]
[2017/09/28 13:04:00.227012, 3] ../source3/smbd/server_exit.c:246(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
Samba config:
[global]
workgroup = DOMAIN
realm = DOMAIN.LOCAL
security = ads
template homedir = /home/%U
template shell = /bin/bash
kerberos method = secrets and keytab
winbind use default domain = true
winbind offline logon = true
idmap config * : backend = nss
idmap config * : range = 3000-7999
idmap config DOMAIN : backend = ad
idmap config DOMAIN : default = yes
idmap config DOMAIN : range = 10000-1000000
idmap config DOMAIN : schema_mode = rfc2307
winbind nss info = rfc2307
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
log file = /var/log/samba/log.%m
log level = 3
max log size = 50
client use spnego = yes
load printers = no
cups options = raw
printcap name = /dev/null
I'm not sure what I am missing or what else to troubleshoot. Rejoining the domain and even wiping out the samba config has not helped. I have also manually added cifs to the keytab but then windows will keep prompting for a username and password even when correct. Any ideas?
Ваша настройка Kerberos нарушена.
Из журнала: Сервер запросов (скрытый) не найден в keytab (билет квно 10) .
Кажется, существует второй метод аутентификации, если Kerberos невозможен. Этот второй метод работает и используется при доступе через IP-адрес. Это потому, что Kerberos работает только в связи с DNS.
Если вы получаете доступ через DNS-имя, Kerberos пытается выполнить аутентификацию и терпит неудачу.
Я полагаю, вы проверяете записи DNS всех машин (клиент, сервер, сервер Kerberos). Также проверьте обратные записи DNS. После этого создайте новую keytab.