Domain UPN/SAM authenticating

[Arara]

Hello everyone. I've been around this forum for a while, looking for answers and solving my issues, but this one baffled me.

I set up a FreeNAS server with AD and SMB shares. Users authenticate fine with user@domain.com (UPN) when connecting to the share using the full name hostname.domain.com.

However, some users have problems: They cannot authenticate to neither the IP address, hostname nor FQDN using UPN, only using SAM style DOMAIN/User. These users are on another subnet, and some are connected through OpenVPN links.

This problem does NOT happen to users through another point to point VPN, users that use MacOS, nor to users within the domain but on the same subnet as others having problems. Users outside the domain, and in another subnet, can use UPN to connect if the attempt is to authenticate to the share using the FQDN address, NOT the IP address.

I get that this seems like a DNS problem, but setting up reverse DNS zones had no effect. From this entry in the log I get that windows is not passing the domain appropriately, and no wonder FreeNAS cannot authenticate:


[2017/01/28 17:56:48.858929, 3] ../auth/ntlmssp/ntlmssp_server.c:452(ntlmssp_server_preauth)
Got user=[user@domain.com] domain=[] workstation=[computer] len1=24 len2=244


Does anyone have any insights as to why this is happening?

 

[dlavigne]

If you don't get an answer here, it is worthwhile to create a ticket at bugs.freenas.org that contains a debug (from System -> Advanced -> Save Debug). While the ticket has the debug, it will be marked as private and the dev can delete the debug once he has the information needed and mark the ticket public so others can see the resolution. If you make a ticket, please post the # here.