Solved

Can only access windows shares using hostnames or FQDN, cannot access using IP address of host.

Posted on 2011-03-10
5
6,314 Views
Last Modified: 2013-12-02
Hi,

I recently became the sysadmin at a company that had not previously had one. I inherited a situation where there were 2x 2008 (32bit/Standard) domain controllers, and one had a broken NIC. That had to be forcefully demoted. Over the last few weeks I've been migrating everything to 2008R2, but in some places I couldn't do a real migration and simply had to recreate the configuration. Just about everything works but I have a really bizarre network sharing issue.

Domain Controllers: 192.168.1.3, 192.168.1.4 - Shares can be browsed by IP or hostname.
NAS, Old windows server - Shares can be browsed by hostname or FQDN, but NOT IP.
Windows servers which has local user auth- Shares can be browsed by hostname or IP.

I will go through an example of this below:
NAS (192.168.1.55)

"ping NAS" returns "reply from 192.168.1.55"
"nslookup 192.168.1.55" returns "nas.local.domain"
"net use t: \\nas.local.domain\share" returns "The command completed successfully" (deleted after)
"net use t: \\192.168.1.55\share" returns "System error 233 has occurred. No process is on the other end of the pipe."

At first I thought this was specific to the NAS, but I've since learned that all older windows shares have this problem. New shares created under Vista and old shares that allowed local user authentication seem to work. New folders created on the NAS do not work either.

There is no firewall between devices suffering this issue. No windows firewalls enabled. I cannot at present use packet sniffers or port scanners. Ideas? Questions?
0
Comment
Question by:BSAFH
  • 4
5 Comments
 
LVL 6

Accepted Solution

by:
arunexp earned 500 total points
ID: 35104311
You could try changing the client authentication level to normal NTLM and NTLM..this can be done form registry..
we had similar issues when we rolled out w7.. we put packet sniffer and identified it as NAS issue and NAS vendor suggested code upgrade..
0
 

Author Comment

by:BSAFH
ID: 35105035
Unfortunately my working environment requires lots of security. I will see if I can free up a host for testing. Keep in mind, this doesn't just apply to the NAS. It also applies to Windows server hosts (2003, 2008). They're able to browse to their own IP, but other computers cant connect unless using the hostname.
0
 

Author Comment

by:BSAFH
ID: 35185940
I have new information, although it is a little late.
It turns out that each of the windows shares had a slightly different issue, most of them are taken care of. As it stands, only the NAS and 1 Windows Server host cannot be reached. Different reasons.

The NAS will work if I reset it to factory defaults (No AD) but stops immediately after joining the domain. I have therefore opened a case with the NAS vendor as this is likely an issue with their firmware. After doing a tcpdump of the communications with the NAS it looks like its running a linux kernel and samba for sharing.

The last windows host to have a problem, when I trace it it sets up an SMB session with dialect 2.002. The only descriptive packets I see are (poor formatting, copying from handwritten notes): Error Code 412 Status fs driver required ioctl, nt status system error code 34, status access denied tree connect. http response http 1.1 status not found url:/c$. nt status system error 13, status invalid parameter query information, nt status system system error code 94 status_no_logon_servers session setup. 22 status more processing required.

I'm ok with just blaming the nas vendor for that device, but the windows issue I should still be able to fix. It is running Windows Server 2008 Standard.
0
 

Author Closing Comment

by:BSAFH
ID: 35229274
Kerberos can't authenticate against IP, something to do with SPNs require a hostname. NTLMv2 apparently not supported in later versions of Samba or something, lots of NAS vendors use Samba. I haven't figured out yet why my 2008 box can't auth with my 2008r2 but it is probably something similar.
0
 

Author Comment

by:BSAFH
ID: 35229296
LM Compat has 5 levels. 2008R2 defaults to level 4 (NTLMv2 response only). Apparently a lot of NAS boxes use Samba, which has some sort of issue with newer versions of auth (ntlm2, kerberos). My NAS vendor recommended I swap to LM/NTLM send. Not going to happen, but that certainly makes it seem like that it what it is.

I read something about kerberos not being able to auth things on IP, it has to assign an SPN and it can't do that to an IP. My level is too low to get it all. I'm just writing this comment to condense some of my google searches into 1 result for future searchers.

You can modify your policy in secpol or group policy- local policies, security, network settings - network security: LAN Manager Authentication Level.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now