Solved

Can only access windows shares using hostnames or FQDN, cannot access using IP address of host.

Posted on 2011-03-10
5
6,225 Views
Last Modified: 2013-12-02
Hi,

I recently became the sysadmin at a company that had not previously had one. I inherited a situation where there were 2x 2008 (32bit/Standard) domain controllers, and one had a broken NIC. That had to be forcefully demoted. Over the last few weeks I've been migrating everything to 2008R2, but in some places I couldn't do a real migration and simply had to recreate the configuration. Just about everything works but I have a really bizarre network sharing issue.

Domain Controllers: 192.168.1.3, 192.168.1.4 - Shares can be browsed by IP or hostname.
NAS, Old windows server - Shares can be browsed by hostname or FQDN, but NOT IP.
Windows servers which has local user auth- Shares can be browsed by hostname or IP.

I will go through an example of this below:
NAS (192.168.1.55)

"ping NAS" returns "reply from 192.168.1.55"
"nslookup 192.168.1.55" returns "nas.local.domain"
"net use t: \\nas.local.domain\share" returns "The command completed successfully" (deleted after)
"net use t: \\192.168.1.55\share" returns "System error 233 has occurred. No process is on the other end of the pipe."

At first I thought this was specific to the NAS, but I've since learned that all older windows shares have this problem. New shares created under Vista and old shares that allowed local user authentication seem to work. New folders created on the NAS do not work either.

There is no firewall between devices suffering this issue. No windows firewalls enabled. I cannot at present use packet sniffers or port scanners. Ideas? Questions?
0
Comment
Question by:BSAFH
  • 4
5 Comments
 
LVL 6

Accepted Solution

by:
arunexp earned 500 total points
Comment Utility
You could try changing the client authentication level to normal NTLM and NTLM..this can be done form registry..
we had similar issues when we rolled out w7.. we put packet sniffer and identified it as NAS issue and NAS vendor suggested code upgrade..
0
 

Author Comment

by:BSAFH
Comment Utility
Unfortunately my working environment requires lots of security. I will see if I can free up a host for testing. Keep in mind, this doesn't just apply to the NAS. It also applies to Windows server hosts (2003, 2008). They're able to browse to their own IP, but other computers cant connect unless using the hostname.
0
 

Author Comment

by:BSAFH
Comment Utility
I have new information, although it is a little late.
It turns out that each of the windows shares had a slightly different issue, most of them are taken care of. As it stands, only the NAS and 1 Windows Server host cannot be reached. Different reasons.

The NAS will work if I reset it to factory defaults (No AD) but stops immediately after joining the domain. I have therefore opened a case with the NAS vendor as this is likely an issue with their firmware. After doing a tcpdump of the communications with the NAS it looks like its running a linux kernel and samba for sharing.

The last windows host to have a problem, when I trace it it sets up an SMB session with dialect 2.002. The only descriptive packets I see are (poor formatting, copying from handwritten notes): Error Code 412 Status fs driver required ioctl, nt status system error code 34, status access denied tree connect. http response http 1.1 status not found url:/c$. nt status system error 13, status invalid parameter query information, nt status system system error code 94 status_no_logon_servers session setup. 22 status more processing required.

I'm ok with just blaming the nas vendor for that device, but the windows issue I should still be able to fix. It is running Windows Server 2008 Standard.
0
 

Author Closing Comment

by:BSAFH
Comment Utility
Kerberos can't authenticate against IP, something to do with SPNs require a hostname. NTLMv2 apparently not supported in later versions of Samba or something, lots of NAS vendors use Samba. I haven't figured out yet why my 2008 box can't auth with my 2008r2 but it is probably something similar.
0
 

Author Comment

by:BSAFH
Comment Utility
LM Compat has 5 levels. 2008R2 defaults to level 4 (NTLMv2 response only). Apparently a lot of NAS boxes use Samba, which has some sort of issue with newer versions of auth (ntlm2, kerberos). My NAS vendor recommended I swap to LM/NTLM send. Not going to happen, but that certainly makes it seem like that it what it is.

I read something about kerberos not being able to auth things on IP, it has to assign an SPN and it can't do that to an IP. My level is too low to get it all. I'm just writing this comment to condense some of my google searches into 1 result for future searchers.

You can modify your policy in secpol or group policy- local policies, security, network settings - network security: LAN Manager Authentication Level.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now