samba - Sep 2016 - Samba Member NT_STATUS_NETWORK_SESSION_EXPIRED

On Fri, 30 Sep 2016 12:24:25 +0200
Oliver Werner via samba <samba at lists.samba.org> wrote:
> Hi Louis,
> 
> i have checked my /var/tmp
> 
> But there is nothing like host_ or other for kerberos inside.
> 
> ls -lisa /var/tmp/
>  2  4 drwxrwxrwt  3 root root  4096 Sep 25 08:39 .
>  2  4 drwxr-xr-x 13 root root  4096 Jun 20  2013 ..
> 11 16 drwx------  2 root root 16384 Aug  9  2012 lost+found
> 
> 
> In /tmp i can see  4 krb5cc files for users there has used kerberos
> on this member. So this look ok between Client and Fileserver. But
> not between Member an DC
> 
> For recreate keytab i can use this manual?
> https://wiki.samba.org/index.php/Generating_Keytabs
> <https://wiki.samba.org/index.php/Generating_Keytabs>
> 
> 
If need be yes, but joining the domain should recreate the keytab for
you, provided you ensure there isn't an existing one before the join.

What OS's are you using ?

Please post the smb.conf from the DC and domain member.

Rowland

Ok now i have leave and join the Domain with my member (Debian 8 - Samba 4.5.0
deb-pkg)

smb.conf DCs (i have two):

[global]
	workgroup = HQKONTRAST
	realm = HQ.KONTRAST
	netbios name = VL0227
	interfaces = eth0:35
   	bind interfaces only = yes
	server role = active directory domain controller
	idmap_ldb:use rfc2307 = yes

	ldap server require strong auth = no
	ntlm auth = yes

   	# Debug logging information
   	log level = 3
   	log file = /var/log/samba/samba.log.debug

	tls enabled  = yes
	tls keyfile  = /var/lib/samba/private/tls/key.pem
	tls certfile = /var/lib/samba/private/tls/cert.pem
	tls cafile   = /var/lib/samba/private/tls/ca.pem

[netlogon]
	path = /var/lib/samba/sysvol/hq.kontrast/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

member smb.conf:

[global]
       netbios name = PL0024
       security = ADS
       workgroup = HQKONTRAST
       realm = HQ.KONTRAST

       log file = /var/log/samba/%m.log
       log level = 3 passdb:5 auth:10 winbind:10

       dedicated keytab file = /etc/krb5.keytab
       kerberos method = secrets and keytab

       winbind trusted domains only = no
       winbind use default domain = yes
       winbind enum users  = yes
       winbind enum groups = yes
       winbind cache time = 300
       winbind refresh tickets = yes

       # Default idmap config used for BUILTIN and local accounts/groups
       idmap config *:backend = tdb
       idmap config *:range = 500-1023

       # idmap config for domain HQKONTRAST
       idmap config HQKONTRAST:backend = ad
       idmap config HQKONTRAST:schema_mode = rfc2307
       idmap config HQKONTRAST:range = 1024-99999

       # Use settings from AD for login shell and home directory
       winbind nss info = rfc2307

[Archiv]
	path = /daten/archiv
	browseable = yes
	writeable = no
	valid users = @Kontrast_Intern

krb.conf on all Sambas:

[libdefaults]
   default_realm = HQ.KONTRAST
   dns_lookup_realm = false
   dns_lookup_kdc = true


OLIVER WERNER
Systemadministrator

> Am 30.09.2016 um 12:46 schrieb Rowland Penny <rpenny at samba.org>:
> 
> On Fri, 30 Sep 2016 12:24:25 +0200
> Oliver Werner via samba <samba at lists.samba.org <mailto:samba at
lists.samba.org>> wrote:
> 
>> Hi Louis,
>> 
>> i have checked my /var/tmp
>> 
>> But there is nothing like host_ or other for kerberos inside.
>> 
>> ls -lisa /var/tmp/
>> 2  4 drwxrwxrwt  3 root root  4096 Sep 25 08:39 .
>> 2  4 drwxr-xr-x 13 root root  4096 Jun 20  2013 ..
>> 11 16 drwx------  2 root root 16384 Aug  9  2012 lost+found
>> 
>> 
>> In /tmp i can see  4 krb5cc files for users there has used kerberos
>> on this member. So this look ok between Client and Fileserver. But
>> not between Member an DC
>> 
>> For recreate keytab i can use this manual?
>> https://wiki.samba.org/index.php/Generating_Keytabs
>> <https://wiki.samba.org/index.php/Generating_Keytabs>
>> 
>> 
> 
> If need be yes, but joining the domain should recreate the keytab for
> you, provided you ensure there isn't an existing one before the join.
> 
> What OS's are you using ?
> 
> Please post the smb.conf from the DC and domain member.
> 
> Rowland

the interface part is ok. eth0 has another IP as eth0:35

DCs show me the profiles

unix authentication
register user session in the systemd….
inheritable capabilities management
OLIVER WERNER
Systemadministrator



 

Kontrast Communication Services GmbH 
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax  +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist 

 <https://www.facebook.com/kontrast.communication>    
<https://twitter.com/KONTRAST_de>    
<http://www.xing.com/companies/kontrastcommunicationservicesgmbh>    
<http://www.linkedin.com/company/kontrast-communication-services-gmbh>    
<https://vimeo.com/kontrastcs>    
<http://instagram.com/kontrast_de>

Note: The information contained in this message may be privileged and
confidential and protected from disclosure. If the reader of this message is not
the intended recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.

Please consider the environment and only print this if required.

> Am 30.09.2016 um 13:14 schrieb Rowland Penny <rpenny at samba.org>:
> 
> On Fri, 30 Sep 2016 13:01:35 +0200
> Oliver Werner <oliver.werner at kontrast.de <mailto:oliver.werner at
kontrast.de>> wrote:
> 
>> Ok now i have leave and join the Domain with my member (Debian 8 -
>> Samba 4.5.0 deb-pkg)
>> 
>> smb.conf DCs (i have two):
>> 
>> [global]
>> 	workgroup = HQKONTRAST
>> 	realm = HQ.KONTRAST
>> 	netbios name = VL0227
>> 	interfaces = eth0:35
>>   	bind interfaces only = yes
>> 	server role = active directory domain controller
>> 	idmap_ldb:use rfc2307 = yes
>> 
>> 	ldap server require strong auth = no
>> 	ntlm auth = yes
>> 
>>   	# Debug logging information
>>   	log level = 3
>>   	log file = /var/log/samba/samba.log.debug
>> 
>> 	tls enabled  = yes
>> 	tls keyfile  = /var/lib/samba/private/tls/key.pem
>> 	tls certfile = /var/lib/samba/private/tls/cert.pem
>> 	tls cafile   = /var/lib/samba/private/tls/ca.pem
>> 
>> [netlogon]
>> 	path = /var/lib/samba/sysvol/hq.kontrast/scripts
>> 	read only = No
>> 
>> [sysvol]
>> 	path = /var/lib/samba/sysvol
>> 	read only = No
>> 
>> member smb.conf:
>> 
>> [global]
>>       netbios name = PL0024
>>       security = ADS
>>       workgroup = HQKONTRAST
>>       realm = HQ.KONTRAST
>> 
>>       log file = /var/log/samba/%m.log
>>       log level = 3 passdb:5 auth:10 winbind:10
>> 
>>       dedicated keytab file = /etc/krb5.keytab
>>       kerberos method = secrets and keytab
>> 
>>       winbind trusted domains only = no
>>       winbind use default domain = yes
>>       winbind enum users  = yes
>>       winbind enum groups = yes
>>       winbind cache time = 300
>>       winbind refresh tickets = yes
>> 
>>       # Default idmap config used for BUILTIN and local
>> accounts/groups idmap config *:backend = tdb
>>       idmap config *:range = 500-1023
>> 
>>       # idmap config for domain HQKONTRAST
>>       idmap config HQKONTRAST:backend = ad
>>       idmap config HQKONTRAST:schema_mode = rfc2307
>>       idmap config HQKONTRAST:range = 1024-99999
>> 
>>       # Use settings from AD for login shell and home directory
>>       winbind nss info = rfc2307
>> 
>> [Archiv]
>> 	path = /daten/archiv
>> 	browseable = yes
>> 	writeable = no
>> 	valid users = @Kontrast_Intern
>> 
>> krb.conf on all Sambas:
>> 
>> [libdefaults]
>>   default_realm = HQ.KONTRAST
>>   dns_lookup_realm = false
>>   dns_lookup_kdc = true
>> 
> 
> About the only thing I can see possibly wrong is this in the DC
> smb.conf:
> 
> 	interfaces = eth0:35
> 
> I would expect just 'eth0'
> 
> What PAM profiles does 'pam-auth-update' show as enabled ?
> 
> Rowland

On Fri, 30 Sep 2016 13:32:18 +0200
Oliver Werner <oliver.werner at kontrast.de> wrote:
> the interface part is ok. eth0 has another IP as eth0:35
> 
> DCs show me the profiles
> 
> unix authentication
> register user session in the systemd….
> inheritable capabilities management
> OLIVER WERNER
> Systemadministrator
> 
I use Devuan and I get:

Kerberos authentication
Unix authentication
Winbind NT/Active Directory authentication
GNOME Keyring Daemon - Login keyring management
ConsoleKit Session Management
Inheritable Capabilities Management


Ignore the last three.

You are only using Unix authentication on your domain member and as
you have compiled Samba yourself, you cannot install the distro
packages to fix the winbind part.

First install libpam-krb5, then create a
file:   /usr/share/pam-configs/winbind

containing this:

Name: Winbind NT/Active Directory authentication
Default: yes
Priority: 192
Auth-Type: Primary
Auth:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE
cached_login try_first_pass
Auth-Initial:
	[success=end default=ignore]	pam_winbind.so krb5_auth krb5_ccache_type=FILE
cached_login
Account-Type: Primary
Account:
	[success=end new_authtok_reqd=done default=ignore]	pam_winbind.so
Password-Type: Primary
Password:
	[success=end default=ignore]	pam_winbind.so use_authtok try_first_pass
Password-Initial:
	[success=end default=ignore]	pam_winbind.so
Session-Type: Additional
Session:
	optional			pam_winbind.so

run 'pam-auth-update' again

Did you create the libnss_win* links ?

Do you require your users to have home directories on the domain
member ?

Rowland