System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Samba shares inaccessible on Windows 2008 using netbios aliases

SOLVED
Go to solution
Michael Dhavale
Occasional Visitor

Samba shares inaccessible on Windows 2008 using netbios aliases

I have a Samba server (A.02.04.01) that's a member of an AD domain. Windows XP and 2003 clients can see its shares fine using either the netbios name (actual hostname) or one of several netbios aliases. Using all names, you can passwordlessly access all shares by UNC path (\\server_or_alias\sharename).

My problem is that Windows 2008 R2 Enterprise edition can only access those shares using the hostname; using any netbios alias will lock the windows account. This is troubling since this limits my ability to set these shares up in a cluster.

The netbios aliases are names that resolve to IP addresses that reside on the server. I see the same symptoms, though, if I modify DNS so that the netbios alias names are (CNAME) aliases to the box's hostname/IP. That is, the issue seems to be independent of the IP address of the netbios alias.

These servers are on different subnets. My PDC is Windows 2003.

Has anyone experienced any difficulty with getting a 2008 client to see a netbios alias?
5 REPLIES
Steven E. Protter
Exalted Contributor

Re: Samba shares inaccessible on Windows 2008 using netbios aliases

Shalom,

There is a service under Windows Server PDC that you need to run in order to resolve short names.

You need to enable winbind on the HP-UX Samba server to work with Windows PDC shortnames.

Also you need to execute a net join command to have full windows Integration.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Michael Dhavale
Occasional Visitor

Re: Samba shares inaccessible on Windows 2008 using netbios aliases

UPDATE: So, after going to lunch and coming back, I find that a CNAME alias in DNS (so that the netbios alias resolves to the hostname) magically/disconcertingly works. This still doesn't help me, though.

As a way of getting around the alias/hostname differences entirely, I am considering configuring samba on both nodes so that the netbios name of the samba server is the alias name (the inactive node won't ever be running samba at the same time as the active node). That way, theoretically all hosts will be accessing the server with its 'hostname' (which will be the alias name). Is having the netbios name different from the hostname of the server a recommended configuration?
Michael Dhavale
Occasional Visitor

Re: Samba shares inaccessible on Windows 2008 using netbios aliases

Hi Steven,

>> There is a service under Windows Server PDC that you need to run in order to resolve short names.

Which service is this? Also, is it significant that non-2008 hosts can resolve the short name okay?


>> You need to enable winbind on the HP-UX Samba server to work with Windows PDC shortnames.

Winbindd is running on the samba server. However, adding it to nsswitch.conf caused the server to slow down tremendously. Removing winbind from nsswitch.conf fixed the slowdown issue, and also did not affect functionality for non-2008 hosts.


>>Also you need to execute a net join command to have full windows Integration.

During samba_setup I was able to net join the ADS domain successfully; the fact that I can get into my shares passwordlessly to non-2008 hosts wouldn't be possible otherwise...

Thank you,
Mike
Alex Bryant
Occasional Visitor
Solution

Re: Samba shares inaccessible on Windows 2008 using netbios aliases

I was having this exact problem. I thought it was a Samba issue at first; after I found this post I realized it was isolated to Windows Vista and up. The root of the problem is Vista and up force NTLMv2 instead of v1. A v2 request includes the server name in the authentication handshake, which is why using an alias will cause it to lock the account; it thinks you are requesting the wrong server and is returning "Bad password" (and of course after 3 bad password attempts, your AD account gets locked).

There are 2 solutions here:
1. Enable NTLMv1 on Vista and higher. If this is done, you can use any alias name to connect to your samba share, assuming your alias is setup in DNS to point to your Samba server.

You can enable this 3 ways: Group policy setting, Local Security setting, or a registry key change.

http://msdn.microsoft.com/en-us/library/bb643327.aspx
http://support.microsoft.com/kb/823659


2. Add an additional ServicePrincipleName (SPN) for each alias you have. You will need the support tools installed for this, but you just run the command "setspn -a HOST\aliasname hostname" for each alias.

http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx

I was working on this problem for 2 days until I stumbled upon this post. A huge thanks for pointing me in the right direction, hopefully this will help someone else as well.
Michael Dhavale
Occasional Visitor

Re: Samba shares inaccessible on Windows 2008 using netbios aliases

Hi Alex,

Yes, NTLMv2 was the last issue I tackled before even getting to this point. :) I wouldn't be able to access a samba share on any windows 2008 machine had that not been resolved.

Rather than force Vista and 2008 to recognize NTLMv1, you can have samba use NTLMv2 with these lines in smb.conf:

lanman auth = No
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No

I will definitely try adding SPNs for my other netbios aliases; I am thinking that that will probably be my solution, so a huge thanks to you as well!