Kontrol-Suporte
2018-Jun-22 22:25 UTC
[Samba] use spnego question - samba 47 to samba48 migration
Hello Everyone, Good evening! Here a Background: I am moving from samba47 to samba48 - I am keeping my existing scripts and config files. The messages below are now appearing while executing some tasks in samba48 only - samba47 is not showing it: #Unknown parameter encountered: "use spnego" #Ignoring unknown parameter "use spnego" #Unknown parameter encountered: "use spnego" #Ignoring unknown parameter "use spnego" Question: is the "use spnego" deprecated for samba48? If so, what is replacing it? Here my smb4.conf file: ############################### [global] workgroup = MYDOMAIN map to guest = never logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = no client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no use spnego = yes client use spnego = yes min protocol = LANMAN2 idmap gid = 10000-20000 idmap uid = 10000-20000 realm = MYDOMAIN.CORP security = ads template homedir = /home/%D/%U template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind enum users = yes winbind enum groups = yes winbind nested groups = yes winbind use default domain = yes encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 log level = 3 passdb:5 winbind:3 usershare allow guests = no printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab winbind refresh tickets = yes [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes ############################### Thanks Much! Fabricio.
Elias Pereira
2018-Jun-23 02:22 UTC
[Samba] use spnego question - samba 47 to samba48 migration
In a shell execute: # testparm -v | grep spnego You will see 2 possibilities. client use spnego principalç = no client use spnego = yes I believe that's 2nd option. :) On Fri, Jun 22, 2018 at 7:51 PM Kontrol-Suporte via samba < samba at lists.samba.org> wrote:> Hello Everyone, > > Good evening! > > > > Here a Background: > > I am moving from samba47 to samba48 - I am keeping my existing scripts and > config files. > > The messages below are now appearing while executing some tasks in samba48 > only - samba47 is not showing it: > > > > #Unknown parameter encountered: "use spnego" > > #Ignoring unknown parameter "use spnego" > > #Unknown parameter encountered: "use spnego" > > #Ignoring unknown parameter "use spnego" > > > > Question: is the "use spnego" deprecated for samba48? If so, what is > replacing it? > > > > Here my smb4.conf file: > > ############################### > > > > [global] > > workgroup = MYDOMAIN > > map to guest = never > > logon path = \\%L\profiles\.msprofile > > logon home = \\%L\%U\.9xprofile > > logon drive = P: > > usershare allow guests = no > > client NTLMv2 auth = yes > > client lanman auth = no > > client plaintext auth = no > > use spnego = yes > > client use spnego = yes > > min protocol = LANMAN2 > > idmap gid = 10000-20000 > > idmap uid = 10000-20000 > > realm = MYDOMAIN.CORP > > security = ads > > template homedir = /home/%D/%U > > template shell = /bin/bash > > winbind offline logon = yes > > winbind refresh tickets = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind nested groups = yes > > winbind use default domain = yes > > encrypt passwords = yes > > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > > log level = 3 passdb:5 winbind:3 > > usershare allow guests = no > > printcap name = /dev/null > > load printers = no > > printing = bsd > > local master = no > > kerberos method = secrets and keytab > > winbind refresh tickets = yes > > > > > > [homes] > > comment = Home Directories > > valid users = %s, %D%W%S > > browseable = no > > read only = no > > inherit acls = yes > > > > ############################### > > Thanks Much! > > > > Fabricio. > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
Andrew Bartlett
2018-Jun-23 03:00 UTC
[Samba] use spnego question - samba 47 to samba48 migration
On Fri, 2018-06-22 at 19:25 -0300, Kontrol-Suporte via samba wrote:> Hello Everyone, > > Good evening! > > > > Here a Background: > > I am moving from samba47 to samba48 - I am keeping my existing scripts and > config files. > > The messages below are now appearing while executing some tasks in samba48 > only - samba47 is not showing it: > > > > #Unknown parameter encountered: "use spnego" > > #Ignoring unknown parameter "use spnego" >> use spnego = yesNo change is required, yes is now the enforced default. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Rowland Penny
2018-Jun-23 11:12 UTC
[Samba] use spnego question - samba 47 to samba48 migration
On Fri, 22 Jun 2018 19:25:11 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hello Everyone, > > Good evening! > > > > Here a Background: > > I am moving from samba47 to samba48 - I am keeping my existing > scripts and config files. > > The messages below are now appearing while executing some tasks in > samba48 only - samba47 is not showing it: > > > > #Unknown parameter encountered: "use spnego" > > #Ignoring unknown parameter "use spnego" > > #Unknown parameter encountered: "use spnego" > > #Ignoring unknown parameter "use spnego" > > > > Question: is the "use spnego" deprecated for samba48? If so, what is > replacing it? > > > > Here my smb4.conf file: > > ############################### > > > > [global] > > workgroup = MYDOMAIN > > map to guest = never > > logon path = \\%L\profiles\.msprofile > > logon home = \\%L\%U\.9xprofile > > logon drive = P: > > usershare allow guests = no > > client NTLMv2 auth = yes > > client lanman auth = no > > client plaintext auth = no > > use spnego = yes > > client use spnego = yes > > min protocol = LANMAN2 > > idmap gid = 10000-20000 > > idmap uid = 10000-20000 > > realm = MYDOMAIN.CORP > > security = ads > > template homedir = /home/%D/%U > > template shell = /bin/bash > > winbind offline logon = yes > > winbind refresh tickets = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind nested groups = yes > > winbind use default domain = yes > > encrypt passwords = yes > > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > > log level = 3 passdb:5 winbind:3 > > usershare allow guests = no > > printcap name = /dev/null > > load printers = no > > printing = bsd > > local master = no > > kerberos method = secrets and keytab > > winbind refresh tickets = yes > > > > > > [homes] > > comment = Home Directories > > valid users = %s, %D%W%S > > browseable = no > > read only = no > > inherit acls = yes > > > > ############################### > > Thanks Much! > > > > Fabricio. >OK, you multiple default lines in your smb.conf, these are: map to guest = never usershare allow guests = no client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no client use spnego = yes template homedir = /home/%D/%U winbind nested groups = yes encrypt passwords = yes usershare allow guests = no You might as well remove them. The following lines are not much use in a Unix domain member smb.conf, they don't work with AD: logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: So you might as well remove them as well, These two lines slow things down and are not actually needed: winbind enum users = yes winbind enum groups = yes You might as well remove them as well. 'use spnego' was remove at 4.8.0, so you must remove this line You should also remove the 'socket options' line, you should let your kernal sort this for you. Finally 'idmap gid' and 'idmap uid' have been deprecated for quite some time and have been replaced by 'idmap config' lines, so with all the removals etc, can I suggest you try this smb.conf: [global] workgroup = MYDOMAIN realm = MYDOMAIN.CORP security = ads min protocol = LANMAN2 # Do really need this ? idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range = 10000-20000 template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind use default domain = yes log level = 3 passdb:5 winbind:3 printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes Rowland
Kontrol-Suporte
2018-Jun-23 18:42 UTC
[Samba] use spnego question - samba 47 to samba48 migration
Thanks everyone who replied to this thread. I will try the new settings ASAP! Thanks once again! Fabricio. -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Saturday, June 23, 2018 8:13 AM To: samba at lists.samba.org Subject: Re: [Samba] use spnego question - samba 47 to samba48 migration On Fri, 22 Jun 2018 19:25:11 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hello Everyone, > > Good evening! > > > > Here a Background: > > I am moving from samba47 to samba48 - I am keeping my existing scripts > and config files. > > The messages below are now appearing while executing some tasks in > samba48 only - samba47 is not showing it: > > > > #Unknown parameter encountered: "use spnego" > > #Ignoring unknown parameter "use spnego" > > #Unknown parameter encountered: "use spnego" > > #Ignoring unknown parameter "use spnego" > > > > Question: is the "use spnego" deprecated for samba48? If so, what is > replacing it? > > > > Here my smb4.conf file: > > ############################### > > > > [global] > > workgroup = MYDOMAIN > > map to guest = never > > logon path = \\%L\profiles\.msprofile > > logon home = \\%L\%U\.9xprofile > > logon drive = P: > > usershare allow guests = no > > client NTLMv2 auth = yes > > client lanman auth = no > > client plaintext auth = no > > use spnego = yes > > client use spnego = yes > > min protocol = LANMAN2 > > idmap gid = 10000-20000 > > idmap uid = 10000-20000 > > realm = MYDOMAIN.CORP > > security = ads > > template homedir = /home/%D/%U > > template shell = /bin/bash > > winbind offline logon = yes > > winbind refresh tickets = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind nested groups = yes > > winbind use default domain = yes > > encrypt passwords = yes > > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > > log level = 3 passdb:5 winbind:3 > > usershare allow guests = no > > printcap name = /dev/null > > load printers = no > > printing = bsd > > local master = no > > kerberos method = secrets and keytab > > winbind refresh tickets = yes > > > > > > [homes] > > comment = Home Directories > > valid users = %s, %D%W%S > > browseable = no > > read only = no > > inherit acls = yes > > > > ############################### > > Thanks Much! > > > > Fabricio. >OK, you multiple default lines in your smb.conf, these are: map to guest = never usershare allow guests = no client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no client use spnego = yes template homedir = /home/%D/%U winbind nested groups = yes encrypt passwords = yes usershare allow guests = no You might as well remove them. The following lines are not much use in a Unix domain member smb.conf, they don't work with AD: logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: So you might as well remove them as well, These two lines slow things down and are not actually needed: winbind enum users = yes winbind enum groups = yes You might as well remove them as well. 'use spnego' was remove at 4.8.0, so you must remove this line You should also remove the 'socket options' line, you should let your kernal sort this for you. Finally 'idmap gid' and 'idmap uid' have been deprecated for quite some time and have been replaced by 'idmap config' lines, so with all the removals etc, can I suggest you try this smb.conf: [global] workgroup = MYDOMAIN realm = MYDOMAIN.CORP security = ads min protocol = LANMAN2 # Do really need this ? idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range = 10000-20000 template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind use default domain = yes log level = 3 passdb:5 winbind:3 printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Kontrol-Suporte
2018-Jun-23 20:04 UTC
[Samba] use spnego question - samba 47 to samba48 migration
Hello Gentlemen. OK, Tests were made. I got some errors only when using Samba48 (samba47 is still fine) IMPORTANT: I forgot to mention... This is being used with SQUID Proxy for SSO authentication. Got NTLMSSP neg_flags=0xa2088207 Got user=[user01] domain=[MYDOMAIN] workstation=[ADCONTROL01] len1=24 len2=338 Login for user [MYDOMAIN]\[user01]@[ ADCONTROL01] failed due to [{Access Denied} A process has requested access to an object but has not been granted those access rights.] GENSEC login failed: NT_STATUS_ACCESS_DENIED I tried the new settings as suggested and also partial changes. Both are presenting the same behaviour. Nothing was changed in the AD side. I also re-checked the permissions/ownership on "/var/db/samba4/winbindd_privileged" folder which is used by SQUID. To Rowland: You asked if I really need the "min protocol = LANMAN2" option. Well, the idea was to enforce a minimum security level. Any help will be very appreciated. Regards Fabricio. -----Original Message----- From: Kontrol-Suporte <suporte at kontrolsecurity.com.br> Sent: Saturday, June 23, 2018 3:42 PM To: 'samba at lists.samba.org' <samba at lists.samba.org> Subject: RE: [Samba] use spnego question - samba 47 to samba48 migration Thanks everyone who replied to this thread. I will try the new settings ASAP! Thanks once again! Fabricio. -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Saturday, June 23, 2018 8:13 AM To: samba at lists.samba.org Subject: Re: [Samba] use spnego question - samba 47 to samba48 migration On Fri, 22 Jun 2018 19:25:11 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hello Everyone, > > Good evening! > > > > Here a Background: > > I am moving from samba47 to samba48 - I am keeping my existing scripts > and config files. > > The messages below are now appearing while executing some tasks in > samba48 only - samba47 is not showing it: > > > > #Unknown parameter encountered: "use spnego" > > #Ignoring unknown parameter "use spnego" > > #Unknown parameter encountered: "use spnego" > > #Ignoring unknown parameter "use spnego" > > > > Question: is the "use spnego" deprecated for samba48? If so, what is > replacing it? > > > > Here my smb4.conf file: > > ############################### > > > > [global] > > workgroup = MYDOMAIN > > map to guest = never > > logon path = \\%L\profiles\.msprofile > > logon home = \\%L\%U\.9xprofile > > logon drive = P: > > usershare allow guests = no > > client NTLMv2 auth = yes > > client lanman auth = no > > client plaintext auth = no > > use spnego = yes > > client use spnego = yes > > min protocol = LANMAN2 > > idmap gid = 10000-20000 > > idmap uid = 10000-20000 > > realm = MYDOMAIN.CORP > > security = ads > > template homedir = /home/%D/%U > > template shell = /bin/bash > > winbind offline logon = yes > > winbind refresh tickets = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind nested groups = yes > > winbind use default domain = yes > > encrypt passwords = yes > > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > > log level = 3 passdb:5 winbind:3 > > usershare allow guests = no > > printcap name = /dev/null > > load printers = no > > printing = bsd > > local master = no > > kerberos method = secrets and keytab > > winbind refresh tickets = yes > > > > > > [homes] > > comment = Home Directories > > valid users = %s, %D%W%S > > browseable = no > > read only = no > > inherit acls = yes > > > > ############################### > > Thanks Much! > > > > Fabricio. >OK, you multiple default lines in your smb.conf, these are: map to guest = never usershare allow guests = no client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no client use spnego = yes template homedir = /home/%D/%U winbind nested groups = yes encrypt passwords = yes usershare allow guests = no You might as well remove them. The following lines are not much use in a Unix domain member smb.conf, they don't work with AD: logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: So you might as well remove them as well, These two lines slow things down and are not actually needed: winbind enum users = yes winbind enum groups = yes You might as well remove them as well. 'use spnego' was remove at 4.8.0, so you must remove this line You should also remove the 'socket options' line, you should let your kernal sort this for you. Finally 'idmap gid' and 'idmap uid' have been deprecated for quite some time and have been replaced by 'idmap config' lines, so with all the removals etc, can I suggest you try this smb.conf: [global] workgroup = MYDOMAIN realm = MYDOMAIN.CORP security = ads min protocol = LANMAN2 # Do really need this ? idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range = 10000-20000 template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind use default domain = yes log level = 3 passdb:5 winbind:3 printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Kontrol-Suporte
2018-Jun-23 21:21 UTC
[Samba] use spnego question - samba 47 to samba48 migration
In Time. Checking the services, folders and permissions, it seems samba48 does not follow exactly the same samba47 model. When restarting samba47 by using "/usr/local/etc/rc.d/samba_server restart" I could see all three services being restarted (smbd, nmbd and winbind) Now restarting samba48 I can see 2 services only (smbd and nmbd); The Winbind seems to be separated. I could not find any entry for winbind service restart under "rc.d/" It's important to say that, the authentication is working fine with Kerberos/tickets - NTLM is the only failing. Thanks, Fabricio. -----Original Message----- From: Kontrol-Suporte <suporte at kontrolsecurity.com.br> Sent: Saturday, June 23, 2018 5:05 PM To: 'samba at lists.samba.org' <samba at lists.samba.org> Subject: RE: [Samba] use spnego question - samba 47 to samba48 migration Hello Gentlemen. OK, Tests were made. I got some errors only when using Samba48 (samba47 is still fine) IMPORTANT: I forgot to mention... This is being used with SQUID Proxy for SSO authentication. Got NTLMSSP neg_flags=0xa2088207 Got user=[user01] domain=[MYDOMAIN] workstation=[ADCONTROL01] len1=24 len2=338 Login for user [MYDOMAIN]\[user01]@[ ADCONTROL01] failed due to [{Access Denied} A process has requested access to an object but has not been granted those access rights.] GENSEC login failed: NT_STATUS_ACCESS_DENIED I tried the new settings as suggested and also partial changes. Both are presenting the same behaviour. Nothing was changed in the AD side. I also re-checked the permissions/ownership on "/var/db/samba4/winbindd_privileged" folder which is used by SQUID. To Rowland: You asked if I really need the "min protocol = LANMAN2" option. Well, the idea was to enforce a minimum security level. Any help will be very appreciated. Regards Fabricio. -----Original Message----- From: Kontrol-Suporte <suporte at kontrolsecurity.com.br> Sent: Saturday, June 23, 2018 3:42 PM To: 'samba at lists.samba.org' <samba at lists.samba.org> Subject: RE: [Samba] use spnego question - samba 47 to samba48 migration Thanks everyone who replied to this thread. I will try the new settings ASAP! Thanks once again! Fabricio. -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Saturday, June 23, 2018 8:13 AM To: samba at lists.samba.org Subject: Re: [Samba] use spnego question - samba 47 to samba48 migration On Fri, 22 Jun 2018 19:25:11 -0300 Kontrol-Suporte via samba <samba at lists.samba.org> wrote:> Hello Everyone, > > Good evening! > > > > Here a Background: > > I am moving from samba47 to samba48 - I am keeping my existing scripts > and config files. > > The messages below are now appearing while executing some tasks in > samba48 only - samba47 is not showing it: > > > > #Unknown parameter encountered: "use spnego" > > #Ignoring unknown parameter "use spnego" > > #Unknown parameter encountered: "use spnego" > > #Ignoring unknown parameter "use spnego" > > > > Question: is the "use spnego" deprecated for samba48? If so, what is > replacing it? > > > > Here my smb4.conf file: > > ############################### > > > > [global] > > workgroup = MYDOMAIN > > map to guest = never > > logon path = \\%L\profiles\.msprofile > > logon home = \\%L\%U\.9xprofile > > logon drive = P: > > usershare allow guests = no > > client NTLMv2 auth = yes > > client lanman auth = no > > client plaintext auth = no > > use spnego = yes > > client use spnego = yes > > min protocol = LANMAN2 > > idmap gid = 10000-20000 > > idmap uid = 10000-20000 > > realm = MYDOMAIN.CORP > > security = ads > > template homedir = /home/%D/%U > > template shell = /bin/bash > > winbind offline logon = yes > > winbind refresh tickets = yes > > winbind enum users = yes > > winbind enum groups = yes > > winbind nested groups = yes > > winbind use default domain = yes > > encrypt passwords = yes > > socket options = TCP_NODELAY SO_RCVBUF=16384 SO_SNDBUF=16384 > > log level = 3 passdb:5 winbind:3 > > usershare allow guests = no > > printcap name = /dev/null > > load printers = no > > printing = bsd > > local master = no > > kerberos method = secrets and keytab > > winbind refresh tickets = yes > > > > > > [homes] > > comment = Home Directories > > valid users = %s, %D%W%S > > browseable = no > > read only = no > > inherit acls = yes > > > > ############################### > > Thanks Much! > > > > Fabricio. >OK, you multiple default lines in your smb.conf, these are: map to guest = never usershare allow guests = no client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no client use spnego = yes template homedir = /home/%D/%U winbind nested groups = yes encrypt passwords = yes usershare allow guests = no You might as well remove them. The following lines are not much use in a Unix domain member smb.conf, they don't work with AD: logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: So you might as well remove them as well, These two lines slow things down and are not actually needed: winbind enum users = yes winbind enum groups = yes You might as well remove them as well. 'use spnego' was remove at 4.8.0, so you must remove this line You should also remove the 'socket options' line, you should let your kernal sort this for you. Finally 'idmap gid' and 'idmap uid' have been deprecated for quite some time and have been replaced by 'idmap config' lines, so with all the removals etc, can I suggest you try this smb.conf: [global] workgroup = MYDOMAIN realm = MYDOMAIN.CORP security = ads min protocol = LANMAN2 # Do really need this ? idmap config * : backend = tdb idmap config * : range = 2000-9999 idmap config MYDOMAIN : backend = rid idmap config MYDOMAIN : range = 10000-20000 template shell = /bin/bash winbind offline logon = yes winbind refresh tickets = yes winbind use default domain = yes log level = 3 passdb:5 winbind:3 printcap name = /dev/null load printers = no printing = bsd local master = no kerberos method = secrets and keytab [homes] comment = Home Directories valid users = %s, %D%W%S browseable = no read only = no inherit acls = yes Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba